基于JAAS的门户认证与授权系统的应用研究
摘要
随着网络门户技术的飞速发展,用户在门户中使用的应用系统越来越多,而每个应用系统往往都有自己的一套用户认证和授权方法,为了对用户进行统一的认证管理和授权,所以有必要将不同系统的各种认证方法集中到一个框架中,也就是需要有一个独立的、高安全性和可靠性的身份认证及权限管理系统,来完成对整个门户用户的身份认证和权限管理。因此建立一个统一的身份认证和用户管理系统,对各个应用系统的用户实现统一的认证、统一的管理和统一的授权也成为门户信息安全系统建设中的重要环节。JAAS是能够实现这种框架的Java版本。Java2安全框架提供的是基于代码源的存取控制方式,JAAS在此基础上还提供了基于代码运行者的存取控制能力。本文深入分析了JAAS技术,提出了一个基于JAAS的身份认证和授权框架,采用本文提出的框架可以较好的解决对身份认证和访问控制的统一管理问题。
作者在论文中的主要工作如下:首先简要介绍了身份认证的相关技术,包括各种身份认证机制、访问控制策略。其次分析了JAAS的体系结构,深入剖析了JAAS主题、JAAS认证机制和JAAS授权机制并对保存用户信息的LDAP进行了深入介绍。然后提出了基于JAAS的身份认证和授权的架构并依照这个思路给出了其关键部分的实现。最后,作者还给出了JAAS的认证授权在Web中的一种具体应用的设计和简单实现。
Along with the portal rapid development, the application system which the user needs to use more and more, but each application system often has an own set of users authentication and the authorized method, in order to carries on the unification to the user the authentication to manage and to be authorized, therefore has the necessity to concentrate the different system each authentication method to a frame in, also is needs to have to be independent, the high security and the reliable status authentication and the jurisdiction management system, completes to the entire portal user's status authentication and the jurisdiction management. Therefore establishes a unified status authentication and the user management system management system, to each application system user realization unified authentication, the unification management and the unification authorization also becomes in the portal information security system construction the important link. JAAS is can realize this kind of frame Java edition. The Java2 security frame provided is based on the code source access control way, JAAS has also provided in this foundation based on the code movement access control ability. This article has thoroughly analyzed the JAAS technology, proposed based on the JAAS status authentication and the authorized frame, uses the frame which this article proposed to be possible the good solution to the status authentication and the access control unification management question.Author's main work in paper as follows: First briefly introduced the status authentication related technology, including each kind of status authentication mechanism, access control strategy. Next has analyzed the JAAS system structure, thoroughly analyzed the JAAS subject, the JAAS authentication mechanism and the JAAS authorization mechanism and to preserves the user information LDAP to carry on the thorough introduction. Then proposed and deferred to this mentality based on the JAAS status authentication and the authorized overhead construction to produce its key partial realization. Finally, the author returned to give back to the JAAS
authentication authorization in the Web one kind of concrete application design and the simple realization.
作者在论文中的主要工作如下:首先简要介绍了身份认证的相关技术,包括各种身份认证机制、访问控制策略。其次分析了JAAS的体系结构,深入剖析了JAAS主题、JAAS认证机制和JAAS授权机制并对保存用户信息的LDAP进行了深入介绍。然后提出了基于JAAS的身份认证和授权的架构并依照这个思路给出了其关键部分的实现。最后,作者还给出了JAAS的认证授权在Web中的一种具体应用的设计和简单实现。
Along with the portal rapid development, the application system which the user needs to use more and more, but each application system often has an own set of users authentication and the authorized method, in order to carries on the unification to the user the authentication to manage and to be authorized, therefore has the necessity to concentrate the different system each authentication method to a frame in, also is needs to have to be independent, the high security and the reliable status authentication and the jurisdiction management system, completes to the entire portal user's status authentication and the jurisdiction management. Therefore establishes a unified status authentication and the user management system management system, to each application system user realization unified authentication, the unification management and the unification authorization also becomes in the portal information security system construction the important link. JAAS is can realize this kind of frame Java edition. The Java2 security frame provided is based on the code source access control way, JAAS has also provided in this foundation based on the code movement access control ability. This article has thoroughly analyzed the JAAS technology, proposed based on the JAAS status authentication and the authorized frame, uses the frame which this article proposed to be possible the good solution to the status authentication and the access control unification management question.Author's main work in paper as follows: First briefly introduced the status authentication related technology, including each kind of status authentication mechanism, access control strategy. Next has analyzed the JAAS system structure, thoroughly analyzed the JAAS subject, the JAAS authentication mechanism and the JAAS authorization mechanism and to preserves the user information LDAP to carry on the thorough introduction. Then proposed and deferred to this mentality based on the JAAS status authentication and the authorized overhead construction to produce its key partial realization. Finally, the author returned to give back to the JAAS
authentication authorization in the Web one kind of concrete application design and the simple realization.
引文
[1] 张峰岭.基于Java2的身份认证数字签名和SSL实现技术.现代计算机.2002,32(4):20-22.
[2] 贾克斌,沈波,刘俊干等.校园网信息系统中内部安全机制的研究.北京工业大学学报.2000,26(4):29-32.
[3] 王敏,吉逸.Java2环境下身份认证和授权机制的研究.微机发展,2003,13(5):40-42.
[4] 江水.基干角色的存取控制—RBAC.计算机工程.1998,24(10):32-35.
[5] 常晓磊,陈怀楚,王映雪等.校园网应用身份认证系统方案研究.中山大学学报.2001,40(3):130-134.
[6] 徐迎晓.Java安全性编程实例.北京:清华大学出版社,2003.
[7] Jess Garms,Daniel Somerfield.庞南译.Java安全性编程指南.北京:电子工业出版社,2002.
[8] 宫力.Java2平台安全技术—结构、API设计和实现.北京:机械工业出版社,1999.
[9] Rich Helton,Johennie Helton.袁泉,吴静译.Java安全解决方案.北京:清华大学出版社,2003.
[10] Jamie Jaworski.邱仲潘译.Java安全手册.北京:电子工业出版社,2001.
[11] 卢开澄.计算机密码学—计算机网络中的数据保密与安全.北京:清华大学出版社,1998.
[12] htp://java.sun.com/products/jaas/.
[13] 林天峰.基于JAAS的Java安全编程.计算机应用与软件.2003,07:86-88.
[14] 何凌毅,樊莉萍.Java安全机制的研究.计算机工程与科学.2001,23(6):81-85.
[15] Chad Darby,John Grifffin,Pascal de Haan et al.邱仲潘译.Java网络编程指南.北京:电子工业出版社,2002.
[16] Marco Pistoia, Nataraj Nagaratnam, Lary Koved, et al. Enterprise Java 2 Security: Building Secure and Robust J2EE Applications[M]. Addison-Wesley Pub Co. 2004.
[17] 张然,钱德沛,张兴军.Java语言的安全性及其在Web中的应用.计算机工程与应用.2001,37(15):43-45.
[18] http://www.yesky.com/20030114/1648365.shtml.
[19] R. S. Sandhu, et al. Role-Based Access Control Models. IEEE Computer. 1996, 29(2):38-47.
[20] http://www.openldap.org/doc/admin23/.
[21] http://www.cic.tsinghua.edu.cn/sys/wlxtkl.htm.
[22] http://www.huihoo.com/java/jndi/jndi_faq.html.
[23] http://www.daifusecure.com/articles/ldap.php.
[24] http://www.devshed.com/c/a/Administration/Understanding-LDAP-part-1(2)/.
[25] http://www.ietf.org/rfc/rfc2251.txt.
[26] 杨文玲,陈锦繁,邓冠初等.基于LDAP校园网计费系统原理与实现.深圳大学学报(理工版).2002,19(3):81-84.
[27] Jayson Falkner,Ben Galbraith,Romin Irani,et al.司光亚,牛红译.JSP Web编程指南.北京:电子工业出版社,2002.
[28] 孙卫琴,李洪成.Tomcat与.Java Web开发技术详解.北京:电子工业出版社,2004.
[2] 贾克斌,沈波,刘俊干等.校园网信息系统中内部安全机制的研究.北京工业大学学报.2000,26(4):29-32.
[3] 王敏,吉逸.Java2环境下身份认证和授权机制的研究.微机发展,2003,13(5):40-42.
[4] 江水.基干角色的存取控制—RBAC.计算机工程.1998,24(10):32-35.
[5] 常晓磊,陈怀楚,王映雪等.校园网应用身份认证系统方案研究.中山大学学报.2001,40(3):130-134.
[6] 徐迎晓.Java安全性编程实例.北京:清华大学出版社,2003.
[7] Jess Garms,Daniel Somerfield.庞南译.Java安全性编程指南.北京:电子工业出版社,2002.
[8] 宫力.Java2平台安全技术—结构、API设计和实现.北京:机械工业出版社,1999.
[9] Rich Helton,Johennie Helton.袁泉,吴静译.Java安全解决方案.北京:清华大学出版社,2003.
[10] Jamie Jaworski.邱仲潘译.Java安全手册.北京:电子工业出版社,2001.
[11] 卢开澄.计算机密码学—计算机网络中的数据保密与安全.北京:清华大学出版社,1998.
[12] htp://java.sun.com/products/jaas/.
[13] 林天峰.基于JAAS的Java安全编程.计算机应用与软件.2003,07:86-88.
[14] 何凌毅,樊莉萍.Java安全机制的研究.计算机工程与科学.2001,23(6):81-85.
[15] Chad Darby,John Grifffin,Pascal de Haan et al.邱仲潘译.Java网络编程指南.北京:电子工业出版社,2002.
[16] Marco Pistoia, Nataraj Nagaratnam, Lary Koved, et al. Enterprise Java 2 Security: Building Secure and Robust J2EE Applications[M]. Addison-Wesley Pub Co. 2004.
[17] 张然,钱德沛,张兴军.Java语言的安全性及其在Web中的应用.计算机工程与应用.2001,37(15):43-45.
[18] http://www.yesky.com/20030114/1648365.shtml.
[19] R. S. Sandhu, et al. Role-Based Access Control Models. IEEE Computer. 1996, 29(2):38-47.
[20] http://www.openldap.org/doc/admin23/.
[21] http://www.cic.tsinghua.edu.cn/sys/wlxtkl.htm.
[22] http://www.huihoo.com/java/jndi/jndi_faq.html.
[23] http://www.daifusecure.com/articles/ldap.php.
[24] http://www.devshed.com/c/a/Administration/Understanding-LDAP-part-1(2)/.
[25] http://www.ietf.org/rfc/rfc2251.txt.
[26] 杨文玲,陈锦繁,邓冠初等.基于LDAP校园网计费系统原理与实现.深圳大学学报(理工版).2002,19(3):81-84.
[27] Jayson Falkner,Ben Galbraith,Romin Irani,et al.司光亚,牛红译.JSP Web编程指南.北京:电子工业出版社,2002.
[28] 孙卫琴,李洪成.Tomcat与.Java Web开发技术详解.北京:电子工业出版社,2004.