【作者】 张惠；

【导师】 熊前兴；

【作者基本信息】 武汉理工大学 ， 计算机应用技术， 2008， 硕士

【摘要】 Sun公司顺应网络技术和Internet的迅速发展需求,提出的J2EE规范已成为企业级开发的工业标准。在Java语言走进企业级应用领域的同时,系统安全问题也受到了越来越多的关注。访问控制作为系统安全体系结构中的一个重要组成部分,是解决安全问题的关键之一。其中,基于角色的访问控制RBAC(Role-Based Access Control)为管理大量的资源访问权限提供了一种动态灵活的策略而在企业级开发中得到普遍应用。J2EE作为目前流行的企业级开发平台,虽然其访问控制机制主要也是基于角色的,但由于其机制本身所存在的缺陷,并不能良好地体现出RBAC的应用优势。对此,本文首先对RBAC模型及J2EE访问控制机制进行了深入的分析:RBAC模型借助于角色实体,实现了用户与访问权限的逻辑分离,大大减少了授权管理的复杂性,易于实现动态复杂的访问控制策略;J2EE标准中的访问控制机制作为一个基于角色的安全机制,通过认证和授权,保障应用的访问安全,其中,JAAS(Java Authentication and Authorization Service)作为可扩展的认证授权框架,是J2EE当前版本中访问控制的重要技术。然后,本文进一步分析比较了J2EE访问控制机制同标准RBAC模型访问控制策略间的差异,并结合企业级应用的特征,指出了J2EE访问控制机制中所存在的问题:对角色间继承约束关系以及角色权限动态管理的不支持等。在此基础之上,本文提出了符合J2EE安全标准的角色访问控制系统原型,并利用JAAS等技术在J2EE环境下实现了该系统。系统的实现独立于具体应用,在J2EE访问控制机制基础之上,通过实现标准RBAC模型,弥补了J2EE访问控制机制中的一些不足。该系统易于实现复杂安全策略,具有良好的扩展性、可移植性和通用性。本文还通过系统的成功应用,验证了其在企业级应用访问控制方面的有效性和实用性。论文工作对J2EE架构下访问控制技术的应用研究提供了有益的参考。更多还原

【Abstract】 To comply with the rapid development of network technology and the Internet, Sun Corporation brings forward the J2EE norm, which has been an industrial standard for enterprise development now. As the Java programming language has been an important part of the development of enterprise application, the security of system has been paid more and more attention to. Access control, an indispensable part of security structure, is one of the keys to solve security problems, and Role-based Access Control (RBAC) becomes the most popular access control model for its agility and facility in authorization management. Nowadays, J2EE is widely used as a platform for enterprise development. Its access control mechanism is mainly based on RBAC, but due to the defects in this mechanism itself, the access control of J2EE platform can not show the advantages of RBAC perfectly.To solve this problem, firstly this thesis took an in-depth research on RBAC model and access control mechanism of J2EE. In RBAC model, users and access permissions are logically separated with roles. In this way, the complexity of authorization management is greatly decreased, and dynamic and complex access control strategy can be easily realized. As a Role-based security mechanism, the access control mechanism of J2EE protects the security of applications with authentication and authorization. JAAS, a scalable framework for authentication and authorization, is a very important technology to implement the access control of J2EE.And then, this thesis did a further analysis on the difference between the access control mechanism of J2EE and RBAC model and also pointed out the disadvantages of J2EE’s access control mechanism considering the unique requirement on enterprise application.It does not support the hierarchical and constrained relations between roles, and neither supports the dynamic management in role and permission etc, while the RBAC does.On the basis of the research, the subject brought out a RBAC access control system prototype according to J2EE security standard. This subject also carried out a system under J2EE with technologies such as JAAS. The implementation of the system is separate from any specific application. On the basis of J2EE access control, the system covers some of the shortages of the J2EE access control mechanism with implementing the standard RBAC model. It’s easy for the system to realize complex security strategy with a good scalability, portability and versatility. At the end of this thesis, the successful application of prototype system validated its effectiveness and practicability in access control of enterprise application. This thesis will bring useful reference to the application research of the access control technology with J2EE framework.更多还原