【作者】 曹晓玲；

【导师】 张超英；

【作者基本信息】 广西师范大学 ， 计算机软件与理论， 2009， 硕士

【摘要】 Web服务技术凭借其松散耦合性、平台无关性和语言无关性,被广泛应用于数字化校园建设当中,很好地解决了校园异构系统之间的数据集成的问题。虽然基于Web服务的校园数据集成系统运行于较为安全的局域网内,但从发展的眼光去看,学校的信息化建设绝不仅仅局限于校园网内,那么Web服务潜在的安全问题是不容忽视的。此外, Web服务在电子商务,电子政务等领域中也广泛应用起来, Web服务将推广至Internet环境中,应用边界不断加大,其安全问题会日益突出,将制约着自身的发展,因此,提供可信的Web服务成为了Web服务应用推广的关键。传统的Web服务安全解决方案依赖于传输层安全保障的SSL/TLS方案,SSL/TLS是基于HTTP协议的安全保护方案,技术比较成熟,但是它本身也存在许多局限性,性能低下,不能实现端到端消息级别的安全保障。目前的主流解决方案的思路是利用SOAP的可扩展性,在SOAP头部Header添加身份认证和授权元素,并整合已成熟的安全技术(如XML Signature,XML Encryption、PKI、X.509)对SOAP消息进行签名加密,以满足身份认证、完整性、机密性保护等安全需求。使用SOAP扩展的方法缺乏统一的标准,不利于系统间的兼容。因此,各大计算机组织都致力研究制定出相关标准和规范,WS-Security及以其为基础的WS-*规范就是其中的重要成果,也推出了相应的技术支持产品,其中微软的WSE3.0就是在Web服务安全开发上极具优势的产品之一。许多学者和研究人员提出了以WSE3.0的策略框架为基础的安全解决方案并尝试将其应用到实际环境中。但是目前的这些安全解决方案尚处于低级阶段,没有突破WSE3.0框架的约束,对不同Web服务的安全保护缺乏灵活性,不适用于更复杂的Web服务应用环境。为此,本文在分析现有的基于WSE3.0的Web服务安全解决规范的不足的基础上,设计出一种选择性签名加密方案,并将该方案与WSE3.0框架结合,提出了一种新的基于WSE3.0策略的扩展模型,该模型不同于以往那些依赖于Web服务方法的安全解决方案,通过建立通用的SOAP消息安全保护模型,减少了开发及维护的工作量,以服务级别RBAC授权访问控制及元素级别的SOAP消息选择性签名加密为模型设计的亮点,实现了数字化校园环境中客户端和服务端的双向安全保障。本文的主要工作如下:1.充分利用了WSE3.0的可扩展性及策略与策略实现机制的相互独立性,结合使用独立于Web服务方法的外部文件描述签名加密需求,实现了对SOAP消息体的局部签名加密和多点合作环境下的SOAP安全保障。2.把基于角色访问控制应用到Web服务的授权访问上,结合原有的客户系统,以Web服务方式建立了角色访问控制模型,实现了Web服务方法级别的访问控制,细化了访问控制的粒度。3.构建了基于Windows 2003 Server的校园CA,以用户申请,CA颁发的方式提供SOAP消息签名加密的证书,通过较成熟的SSL技术保证了证书的安全传递,也减轻了证书生成分发的工作量。4.深入研究了WSE3.0的签名加密原理及其签名加密结果的表示形式,通过URI定位签名对象及加密值的方法,减少了数据的冗余,提高了消息传输率。本文基于WSE3.0策略扩展的Web服务安全解决方案已经应用到广西师范大学学分制收费管理信息系统的建设中,较好地解决了Web服务身份认证、访问控制及消息的签名加密问题。实践证明,该方案具有较高的安全执行效率,较好的安全性、可维护性及扩展性,具有一定应用参考价值。更多还原

【Abstract】 Web Service technology is widely used in the project of constructing Digital Campus with its loosely coupled, platform-independent and language-independent. It’s a good solution to the problem of campus data integration between heterogeneous systems. The campus data integration system based on Web services is running on the LAN with less security problem, but considering the perspective of development, information construction of school won’t just be confined to the campus network, so the Web Service is a potential security problem that can not be ignored. Web Service is also widely used in E-commerce and E-government areas; moreover, it will be extended to the Internet Environment, which increases the application of the border. The security issues will become increasingly prominent, which will be the restriction of the development of Web Service. Therefore, providing credible Web Services has become the key to the promotion of Web Services application.Traditional Web Services security solutions depend on the transport layer security protection of SSL/TLS program. SSL/TLS is a security protection program based on the HTTP protocol with more mature technology, but it also has its limitations, for example, the performance of low, no end-to-end message level security. The mainstream of the current solution is to use the scalability of SOAP, adding elements of identity authentication and authorization to the SOAP Header, and integrating the sophisticated security technology (such as XML Signature, XML Encryption, PKI, X. 509) of signing and encrypting the SOAP message to meet the needs of authentication, integrity, confidentiality, protection of security needs. But such method is lack of unified standards and unconducive to the compatibility between systems. Therefore, the major computer organizations are committed to study and formulate the relevant standards and specifications. The production of WS-Security and other specifications based on WS-* is one of the important achievements. The organizations also give the technical support of the corresponding products. Microsoft’s WSE3.0 is one of the strong competitive products and has advantage on providing methods of Web Services Security development. Many scholars and researchers have given security solutions based on WSE3.0 policy framework and try to apply them to the actual environment. However, researches on these security solutions are still in the low-level stage, have no breakthrough in the framework of WSE3.0 and lack of flexibility to protect the different Web services security. They are not suitable for more complex Web Service applications. In this paper, the shorts of those existed security solutions based on the WSE3.0 is analyzed, a scheme of selective signature and encryption is designed, combining with the WSE3.0 framework, a new model based on expansion strategy of WSE3.0 is provided. It’s different from those solutions that rely on different Web Service methods, setting up a common security model for SOAP message, reducing the workload of the development. The bright spots of the model are Service-level Web Service access control based on RBAC and the design of element-level protection to the SOAP Message with optional signature and encryption. The design achieves the goal of providing both service and client security in the digital campus environment.The main task of this paper is as follows:1. Taking full advantage of the scalability of WSE3.0 and independence of strategy implementation and strategy mechanism, combining with the use of an external file independent of Web services methods to describe the encryption and signature demands, giving implementation of part of SOAP Encryption and Signature to the SOAP body of the message and SOAP security protection in multi-point cooperation environment.2. The application of role-based access control to Web Service on the authorized access, combined with existed security protection of client. We set up a role-based access control model based on Web services. It achieves the goal of the method-level access control and with details particle size.3. Building a Windows 2003 Server-based campus CA to provide certificate for SOAP message signed and encrypted in the form of user applying for and CA presenting. Using SSL to ensure the security of certificates transmission, CA can reduce the workload of certificate generation and distribution.4. The principles of the Signature and Signature encryption using WSE3.0 are deeply studied; the results of forms of signature and encryption are analyzed. Positioning Signature object and encryption values by using URI attribute, the method achieves the goal of reducing data redundancy and improves the message transfer rate. The Web Services security solutions have been applied to students Fee information system which is based on credit system of Guangxi Normal University, solved the Web Service security issue of identity authentication, access control and message signature and encryption. Practice has proved that the program has higher efficiency in the implementation of the security, good security, maintainability and scalability. The application must have a reference value.更多还原