【作者】 叶蕴芳；

【导师】 徐国爱；

【作者基本信息】 北京邮电大学 ， 信息安全， 2009， 硕士

【摘要】 留学生管理信息系统(留学生MIS系统)在帮助各级院校有效管理内部学生信息,提高院校内外信息流转的速度上发挥着重要的作用。作为一个基于B/S架构的MIS系统,在便捷方面拥有比传统C/S架构MIS系统不可比拟的优势,但也存在更多的安全隐患。同时,由于留学生信息管理业务的特殊性,用户对其安全性能的需求也与一般MIS系统不同。因此,留学生MIS系统的安全性已经成为需要重点研究的问题。在访问控制方面,本文针对留学生系统的业务特征和可能面临的安全威胁,设计并实现了一种带有群组-分支属性的基于角色的访问控制模型(GB-RBAC),提高了系统的安全性,减少了授权管理的复杂性,并且有效地解决了现有GRBAC模型的资源冗余问题,提高了分配的自由度。在数据安全方面,作者给出了双向SSL认证在留学生MIS系统的实现,验证了SSL_PART实现有利于提高系统的性能,并简要介绍了系统中使用的其他数据安全技术。作者首先介绍了MIS系统的相关安全理论,分析了主要的访问控制模型,对其发展历程进行概述,同时对MIS系统的数据安全技术进行了一定的阐述。其次,论文分析了MIS系统,特别是留学生MIS系统的安全需求。针对系统业务特征,作者从纵向、横向、多维纵横和用户体验4个切面,说明现有多种访问控制模型无法很好地适应留学生系统。在此基础上,本文提出了适用于留学生系统的GB-RBAC模型。给出该模型的具体元素和定义,分别阐述了各元素的特征和具体操作的行为用例。该模型结合具体企业中内部机构的划分,用Group(群组)划分资源集合的功能,较好的解决了传统RBAC资源分配无法因下属机构不同而灵活处理的缺陷。同时,群组之间引入偏序关系,避免了资源存储冗余的问题。提出了分支与群组的从属关系,分支机构管理员可以享有该群组下的最大资源集合的任何资源子集合。引入黑名单的机制,在分支资源集合中排除部分权限,解决了以往GRBAC自动授权的不足。GB-RBAC也是一种基于实际应用的管理角色模型。但是GB-RBAC比ARBAC更好的贴近实际系统的需求,对授权机制和授权管理给出了实际的解决方案。最后,论文详细阐述了GB-RBAC模型在留学生MIS系统中的实现细节。该系统采用基于Appfuse的体系架构,给出了GB-RBAC模型的访问控制流程,完成了相关数据库表概念设计和逻辑设计,同时给出了群组、角色、分支等模块及系统授权机制的详细算法和JAVA实现。此外,考虑其他安全细节,实现了双向SSL等安全机制。给出了SSL在系统中的具体配置和应用,并从性能的考虑出发,实现了SSL_PART连接等。更多还原

【Abstract】 The Management Information System of International Students (MISIS) plays an important role in helping all universities to manage student information and it can also raise the pace in information transferring. As a B/S architecture system, it has more unparalleled advantages than those systems in traditional C/S architecture. As a result of the specificity of management business, users demand more security features than the general MIS system. Therefore, the security of MISIS has become a necessary focus of research.In the access control context, this paper considers business characteristics and security threats may faced, designed and implemented a role-based access control model with group-branch attributes(GB-RBAC). It enhances the security of the system, and reduces the complexity of authorization management. It makes an effective solution to the redundancy existing in GRBAC model, and improves the distribution of freedom.In security context, the author gives a realization of two-way SSL authentication, and verified SSL_PART realization can improve the performance of the system, and briefly introduce other data security technologies in the system.The security theory of the MIS system is introduced at the first. It analyzes the main access control model and makes a summarization of its phylogeny, then it takes a brief analyze of data security in MIS system. Secondly, the thesis analyzed security needs of MIS system, especially of MISIS.The authors use four sections-vertical, horizontal, multi-dimensional aspect and user experience- to introduce that access control models existed can not be well adapted to the system.On this basis, the authors designed anapplicable model, GB-RBAC model, and gave the specific elements definitions of the model, then show each element on the characteristics and behavior of the specific use case.And, the thesis gives a GB-RBAC model realization in MISIS, including detailed database design, key modules of the algorithm, technical details, etc.In this model, group attribute is applied to carve up different resource sets, and can make up the limitation of the tradition RBAC model. Meanwhile, there are hierarchies between groups; groups can have overlapping responsibilities and privileges. It would be efficient and administratively agile to specify repeatedly these general operations for each group that gets created. A subordinate relationship is processed between branches and groups; the administrator of the branch can enjoy all resources belong to its subordinated group. GB-RBAC model brings out a blacklist mechanism which can exclude some resources that cannot to assign to some exactly branch administrators. Compared to the ARBAC model, the GB-RBAC is more practical, and brings fitter authorization mechanism and authorization management.At last, the paper elaborated realization details in MISIS on GB-RBAC model. The system is based on appfuse system architecture; the author gives a GB-RBAC model for access control flow, completed the conceptual design of relational database tables and logic design, at the same time give detailed algorithm and realize JAVA code in the group, role, branch modules and systems licensing mechanism. In addition, this thesis considers other security details, such as the realization of a two-way SSL security mechanism. It gives the SSL application and specific configuration in the system, and realizes the connection of SSL_PART to consider performance.更多还原