基于本体模型的单点登陆系统设计与实现
摘要
单点登录技术是一种可以方便用户访问网络资源的技术。在复杂的网络环境中、分布应用的情况下,用户只需要一次登录,就可以获得多个系统和应用服务资源的访问授权,这样可以在系统间方便的穿梭,不用重复输入用户名和密码来多次获得认证和授权。许多商业软件公司和研究机构都提出了相应的解决方案。于此同时,各个标准的不完善性和较差的兼容性,给业界提出了新的难题。
为了满足企业内部业务系统建设所提出的集中式认证授权的需求,本文在基于本体模型的单点登陆系统设计和实现方面做了以下有意义尝试:
1.引入领域本体模型对于应用系统间可共享的访问控制模块进行抽象,描述出访问控制策略知识库。
2.以商业银行为原型,对于访问控制相关的共享领域知识以及逻辑推理的规则进行定义,构建出相应的领域本体模型,作为访问控制策略的基础。
3.使用XACML作为策略的传输格式,本体知识库作为作为策略访问的文档——策略库,在此基础上设计出一套权限控制机制。
4.从认证和授权两个方面入手,结合消息传输的安全性进行考虑,对于认证和授权的流程进行详细的设计。
5.设计了一个基于SAML规范体系、涵盖本体模型的单点登录系统。考虑了SAML在体系上的种种不足,充分利用该规范的可扩展性,利用一些开放性工具包,对于基础类库进行封装和扩展。
由于SAML规范仅仅提出了一套规范化实体和流程,并未给出具体实现方案。在系统设计和实现中,本文着重于领域本体库的工程构建,以及技术在工程领域的实用性,发挥其知识表达上的优势,将其应用于单点登录体系中去。根据实际的业务场景需求,设计出分层次的实施架构。结合实际的项目,使系统的设计原型取得良好的应用效果。
本文的最后,总结了基于本体模型的单点登录系统的研究与应用,并作了进一步工作的展望。
(Single Sign-on)SSO is an user-friendly technology to access the resources through the network. In the complex network environment or the circumstances of distribution, users only need a login to get the availability on multiple systems and application services for all authorized resources. In that case there is no need to re-enter the user name and password to get the access authentication and authorization again and again. So far many commercial software companies and research institutions have put forward the corresponding solutions. But at the same time, all the imperfections of standards and poor compatibility propose a new set of problems to the industry.
In order to meet the internal business requirements of building a centralized authentication & authorization mechanism, there are a few meaningful attempts in this article on both design and implementation of a SSO system based on ontology model:
1. Domain ontology model is used for abstracting the shared system access control module and for describing a knowledgebase of access control policies.
2. Prototype to commercial banks, the shared domain knowledge for access control and the rules of logic are defined. It constructs the corresponding domain ontology model as the basis of access control strategy.
3. Using XACML as the transmission format for strategy, and ontology knowledgebase as a strategy document, it then proposes a design for a set of access control mechanism.
4. Considering the security of information transmission, it illustrates the design for the detailed processes of unified authentication and authorization.
5. As there is a variety of deficiencies for SAML. In order to make full use of the norms of scalability, some open toolkits are used. And also some extentions of a foundation class library are made. Then a standardized SSO system was designed based on SAML, covering ontology model.
SAML standard only defines some standardized entities and processes, and there is no concrete realization. So in the stage of design and implementation, this paper focuses on the field of Ontology Construction for the project, as well as the availability of the technology in the areas of engineering. It tries to take the advantage of their knowledge expression for applying to a SSO architecture. And then according to the actual needs of the business scene, it designs the implementation of a hierarchical structure. With the actual project, the design of the prototype system achieves a good effect.
Finally, the article gives the conclusion of the Single Sign-on system based on ontology model and its application, and also provides an overview of further work.
为了满足企业内部业务系统建设所提出的集中式认证授权的需求,本文在基于本体模型的单点登陆系统设计和实现方面做了以下有意义尝试:
1.引入领域本体模型对于应用系统间可共享的访问控制模块进行抽象,描述出访问控制策略知识库。
2.以商业银行为原型,对于访问控制相关的共享领域知识以及逻辑推理的规则进行定义,构建出相应的领域本体模型,作为访问控制策略的基础。
3.使用XACML作为策略的传输格式,本体知识库作为作为策略访问的文档——策略库,在此基础上设计出一套权限控制机制。
4.从认证和授权两个方面入手,结合消息传输的安全性进行考虑,对于认证和授权的流程进行详细的设计。
5.设计了一个基于SAML规范体系、涵盖本体模型的单点登录系统。考虑了SAML在体系上的种种不足,充分利用该规范的可扩展性,利用一些开放性工具包,对于基础类库进行封装和扩展。
由于SAML规范仅仅提出了一套规范化实体和流程,并未给出具体实现方案。在系统设计和实现中,本文着重于领域本体库的工程构建,以及技术在工程领域的实用性,发挥其知识表达上的优势,将其应用于单点登录体系中去。根据实际的业务场景需求,设计出分层次的实施架构。结合实际的项目,使系统的设计原型取得良好的应用效果。
本文的最后,总结了基于本体模型的单点登录系统的研究与应用,并作了进一步工作的展望。
(Single Sign-on)SSO is an user-friendly technology to access the resources through the network. In the complex network environment or the circumstances of distribution, users only need a login to get the availability on multiple systems and application services for all authorized resources. In that case there is no need to re-enter the user name and password to get the access authentication and authorization again and again. So far many commercial software companies and research institutions have put forward the corresponding solutions. But at the same time, all the imperfections of standards and poor compatibility propose a new set of problems to the industry.
In order to meet the internal business requirements of building a centralized authentication & authorization mechanism, there are a few meaningful attempts in this article on both design and implementation of a SSO system based on ontology model:
1. Domain ontology model is used for abstracting the shared system access control module and for describing a knowledgebase of access control policies.
2. Prototype to commercial banks, the shared domain knowledge for access control and the rules of logic are defined. It constructs the corresponding domain ontology model as the basis of access control strategy.
3. Using XACML as the transmission format for strategy, and ontology knowledgebase as a strategy document, it then proposes a design for a set of access control mechanism.
4. Considering the security of information transmission, it illustrates the design for the detailed processes of unified authentication and authorization.
5. As there is a variety of deficiencies for SAML. In order to make full use of the norms of scalability, some open toolkits are used. And also some extentions of a foundation class library are made. Then a standardized SSO system was designed based on SAML, covering ontology model.
SAML standard only defines some standardized entities and processes, and there is no concrete realization. So in the stage of design and implementation, this paper focuses on the field of Ontology Construction for the project, as well as the availability of the technology in the areas of engineering. It tries to take the advantage of their knowledge expression for applying to a SSO architecture. And then according to the actual needs of the business scene, it designs the implementation of a hierarchical structure. With the actual project, the design of the prototype system achieves a good effect.
Finally, the article gives the conclusion of the Single Sign-on system based on ontology model and its application, and also provides an overview of further work.
引文
[1]Philip Hallam-Baker,Chris Kaler,Ronald Monzillo,Anthony Nadalin.OASIS Web Service Security SAML Token Profile.OASIS Standard,01 December 2004.http://does.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1.pdf.
[2]World Wide Web Consortium.Extensible Markup Language(XML)[EB/OL].http://www.w3.org/XML/.
[3]Gruber T.Towards principles for the design of ontologies used for knowledge sharing.In International Journal of Human-Computer Studies 43(5/6):907-928
[4]Scan Bechhofer,Frank van Harmelen,Jim Hendler,Ian Horrocks,Deborah L.,McGuinness,Peter F,Patel-Schneider.OWL Web Ontology Language Reference.W3C Recommendation,10 February 2004.http://www.w3c.org/TR/2004/REC-owl-ref-20040210.
[5]Manish Verma.Control information access with XACML.http://www-106.ibm.com/developerworks/library/x-xacml/.
[6]Philip Hallam-Baker,Chris Kaler,Ronald Monzillo,Anthony Nadalin.OASIS Web Service Security SOAP Message Security.OASIS Standard,01 March 2004.http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.
[7]Microsoft."Microsoft.NET Passport".http://www.microsoft.com/myservices/passport
[8]Prateek Mishraetal.Bindings for the OASIS Security Assertion Markup Language (SAML),OASIS,November 2002.
[9]W.N.Borst.Construction of Engineering Ontologies for Knowledge Sharing and Reuse[D].University of Twente,Enschede,1997.
[10]P.Hallam-Baker,E.Maler.Assertions and Protocol for the OASIS Security Assertion Markup Language(SAML),Oasis Standard,November 2002.
[11]杨学功.传统本体论哲学的终结.2003.http://ctk.cn.gs/hwtj/zxbt.htm
[12]B.C,J.R.J,V.R.B.What Are Ontologies,and Why Do We Need Them?,Jan/Feb 1999.20-27
[13]李景,钱平,苏晓璐.构建领域本体的方法.计算机与农业,2003(7).6-11
[14]Borgo,Stefano,Nicola Guarino,Claudio Masolo.Stratified Ontologies:The Case of Physical Objects.Proceedings of ECAI96's Workshop on Ontological Engineering,1996.5-16
[15]Grigoris Antoniou,Frank van Harmelen.Web Ontology Language:OWL
[16]周竞涛,王明微.XML+RDF——实现Web数据基于语义的描述,西北工业大学CAD/CAM国家专业实验室,2003(9)
[17]Renear Allen,David Dubin,C.M.Sperberg-McQueen,and Claus Huitfeldt.Towards a semantics for xml markup.In the 2002 ACM Symposium on Document Engineering,pages 119-126,McLean,VA,2002.ACM Press.
[18]T.Berners-Lee.Notation 3,world wide web consortium(w3c),design note,1998.
[19]Michael C.Daconta,Leo J.Obrst,and Kevin T.Smith.The Semantic Web:a guide to the future of XML,Web services,and knowledge management.Wiley Publishing,Indianapolis,Ind.,2003.
[20]Paul V.Biron and Ashok Malhotra.Xml schema part 2:Datatypes,w3c recommendation 02 may 2001,2001.
[21]冯志勇,李文杰,李晓红.《本体论工程及其应用》清华大学出版社.2007.
[22]Chen JCY,Li Qing.WebReader:A Mechanism for Automating the Search and Collecting Information from the World Wide Web[C].Proceedings of the First International Conference on Web Information Systems Engineering,2000,2:47-54.
[23]李栋栋.偏序结构下参数化的权限管理-基于本体的权限管理案例研究[学位论文],中科院计算所,博士论文.2004.
[24]R.Sandhu,D.Ferraiolo,and R.Kuhn.The NIST model for role-based access control:Towards a unified standard.In Proc.Of the fifth ACM Workshop on Role-based Access Control,pages 47-63,Berlin Germany,July 2000.
[25]I.Horrocks,L,Li,D.Turi,and S.Bechhofer.The instance store:Dl reasoning with large numbers of individuals.In the 2004 Description Logic Workshop(DL 2004),2004.31-40.
[26]Ian Horrocks,Peter F.Patel-Schneider,Harold Boley,Said Tabet,Benjamin Grosof,Mike Dean.Swrl:A semantic web rule language combining owl and ruleml,2004.
[27]陆钟万.《面向计算机科学的数理逻辑》科学出版社.2002.
[28]Alon Y.Levy and Marie-Christine Rousset.Combining horn rules and description logics in carin.Artificial Intelligence,1998.165-209.
[29]Jason Morris.Jess Inventor Opines About Rule Engines and Java,2003.http://www.devx.com/Java/Article/17651
[30]冉晓雯,郭文伟.《Web服务安全技术与原理》 清华大学出版社.2003.
[31]梁爱虎.《精通SOA基于服务总线的整合应用开发》电子工业出版社.2007.
[32]Organization for the Advancement of Structured Information Standards(OASIS).Extensible Access Control Markup Language(XACML)Specification Set v 2.0,Oasis XACML TC,March 2004.
[33]Finin,T.,Mayfield,J.Joshi etc.Information Retrieval and the Semantic Web.In System Sciences,2005.HICSS '05.Proceedings of the 38th Annual Hawaii International Conference on 03-06 Jan.2005.113-116.
[34]Eric Newcomer.《Understanding SOA with Web Services》电子工业出版社.2006.
[35]金融机构大额交易和可疑交易报告管理办法(中国人民银行令[2006]第2号)人民银行.2006.
[2]World Wide Web Consortium.Extensible Markup Language(XML)[EB/OL].http://www.w3.org/XML/.
[3]Gruber T.Towards principles for the design of ontologies used for knowledge sharing.In International Journal of Human-Computer Studies 43(5/6):907-928
[4]Scan Bechhofer,Frank van Harmelen,Jim Hendler,Ian Horrocks,Deborah L.,McGuinness,Peter F,Patel-Schneider.OWL Web Ontology Language Reference.W3C Recommendation,10 February 2004.http://www.w3c.org/TR/2004/REC-owl-ref-20040210.
[5]Manish Verma.Control information access with XACML.http://www-106.ibm.com/developerworks/library/x-xacml/.
[6]Philip Hallam-Baker,Chris Kaler,Ronald Monzillo,Anthony Nadalin.OASIS Web Service Security SOAP Message Security.OASIS Standard,01 March 2004.http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.
[7]Microsoft."Microsoft.NET Passport".http://www.microsoft.com/myservices/passport
[8]Prateek Mishraetal.Bindings for the OASIS Security Assertion Markup Language (SAML),OASIS,November 2002.
[9]W.N.Borst.Construction of Engineering Ontologies for Knowledge Sharing and Reuse[D].University of Twente,Enschede,1997.
[10]P.Hallam-Baker,E.Maler.Assertions and Protocol for the OASIS Security Assertion Markup Language(SAML),Oasis Standard,November 2002.
[11]杨学功.传统本体论哲学的终结.2003.http://ctk.cn.gs/hwtj/zxbt.htm
[12]B.C,J.R.J,V.R.B.What Are Ontologies,and Why Do We Need Them?,Jan/Feb 1999.20-27
[13]李景,钱平,苏晓璐.构建领域本体的方法.计算机与农业,2003(7).6-11
[14]Borgo,Stefano,Nicola Guarino,Claudio Masolo.Stratified Ontologies:The Case of Physical Objects.Proceedings of ECAI96's Workshop on Ontological Engineering,1996.5-16
[15]Grigoris Antoniou,Frank van Harmelen.Web Ontology Language:OWL
[16]周竞涛,王明微.XML+RDF——实现Web数据基于语义的描述,西北工业大学CAD/CAM国家专业实验室,2003(9)
[17]Renear Allen,David Dubin,C.M.Sperberg-McQueen,and Claus Huitfeldt.Towards a semantics for xml markup.In the 2002 ACM Symposium on Document Engineering,pages 119-126,McLean,VA,2002.ACM Press.
[18]T.Berners-Lee.Notation 3,world wide web consortium(w3c),design note,1998.
[19]Michael C.Daconta,Leo J.Obrst,and Kevin T.Smith.The Semantic Web:a guide to the future of XML,Web services,and knowledge management.Wiley Publishing,Indianapolis,Ind.,2003.
[20]Paul V.Biron and Ashok Malhotra.Xml schema part 2:Datatypes,w3c recommendation 02 may 2001,2001.
[21]冯志勇,李文杰,李晓红.《本体论工程及其应用》清华大学出版社.2007.
[22]Chen JCY,Li Qing.WebReader:A Mechanism for Automating the Search and Collecting Information from the World Wide Web[C].Proceedings of the First International Conference on Web Information Systems Engineering,2000,2:47-54.
[23]李栋栋.偏序结构下参数化的权限管理-基于本体的权限管理案例研究[学位论文],中科院计算所,博士论文.2004.
[24]R.Sandhu,D.Ferraiolo,and R.Kuhn.The NIST model for role-based access control:Towards a unified standard.In Proc.Of the fifth ACM Workshop on Role-based Access Control,pages 47-63,Berlin Germany,July 2000.
[25]I.Horrocks,L,Li,D.Turi,and S.Bechhofer.The instance store:Dl reasoning with large numbers of individuals.In the 2004 Description Logic Workshop(DL 2004),2004.31-40.
[26]Ian Horrocks,Peter F.Patel-Schneider,Harold Boley,Said Tabet,Benjamin Grosof,Mike Dean.Swrl:A semantic web rule language combining owl and ruleml,2004.
[27]陆钟万.《面向计算机科学的数理逻辑》科学出版社.2002.
[28]Alon Y.Levy and Marie-Christine Rousset.Combining horn rules and description logics in carin.Artificial Intelligence,1998.165-209.
[29]Jason Morris.Jess Inventor Opines About Rule Engines and Java,2003.http://www.devx.com/Java/Article/17651
[30]冉晓雯,郭文伟.《Web服务安全技术与原理》 清华大学出版社.2003.
[31]梁爱虎.《精通SOA基于服务总线的整合应用开发》电子工业出版社.2007.
[32]Organization for the Advancement of Structured Information Standards(OASIS).Extensible Access Control Markup Language(XACML)Specification Set v 2.0,Oasis XACML TC,March 2004.
[33]Finin,T.,Mayfield,J.Joshi etc.Information Retrieval and the Semantic Web.In System Sciences,2005.HICSS '05.Proceedings of the 38th Annual Hawaii International Conference on 03-06 Jan.2005.113-116.
[34]Eric Newcomer.《Understanding SOA with Web Services》电子工业出版社.2006.
[35]金融机构大额交易和可疑交易报告管理办法(中国人民银行令[2006]第2号)人民银行.2006.