B/S结构的OA系统中基于角色访问控制模型研究与实现
摘要
随着信息技术的飞速发展以及我国信息化建设进程的加快,无论是政府还是企业,为了提高办事效率,加快信息的传输速度,都需要实现办公自动化。办公自动化(OA,Office Automation)是指将现代化办公与计算机网络功能相结合的一种新型办公方式。通过计算机网络和OA系统,企业内部人员可跨越时间、空间限制实现协同工作,使信息传递更加快捷、方便。
由于Internet具有标准化、开放性、分布式等众多优点,使人们在开发办公系统时,由传统的C/S体系结构转向高性能的Browser/Web Server/DB Server三层体系的B/S结构。在B/S模式中,只需在客户端装上操作系统、浏览器,在服务器上,可以集中所有的应用软件的开发、维护等复杂工作,极大地提高了系统的开发和维护效率。
随着企业办公信息系统的广泛使用,系统安全问题受到越来越多的关注,而访问控制技术是解决安全问题的关键。目前我国大部分企业均采用传统的访问控制技术,自主访问控制技术(DAC,Discretionary Access Control)和强制访问控制技术(MAC,Mandatory Access Control),均存在一定弊端,有其局限性。本文对企业信息系统中采用基于角色的安全访问控制(RBAC,Role-Based Access Control)技术进行了理论研究和实践探讨。
本文从理论上研究了RBAC的概念模型,并与传统的安全访问控制相比较,论证了在企业办公信息系统中采用RBAC的优势和作用。从企业安全需求的角度出发,讨论了RBAC通用模型、扩展模型及RBAC在Web上的布署方案。根据RBAC/Web模型,作者在分析企业办公信息系统的安全需求和组织特点的基础上,制定了企业办公信息系统RBAC的实现方案,对角色划分、权限分配、RBAC管理进行了方案设计,并论述了方案的特点和优势。最后作者以《黄石市公路办公信息系统》为例,具体阐述了该系统基于角色的安全访问控制方案的实现,论证了设计方案在企业办公信息系统中的可行性。
Along with the rapid development of information technology and the expedite step of our country's information progress, it is necessary for whether a government or business enterprise to realize office automation to improve the work efficiency and fasten information transmit speed. OA (Office Automaiton) is the new office way that is combined with the function of modern office and network. The employees could be stride over the time and space limits and realize cooperative work.Because of standard, opening and distributed characteristics of Internet, the develop pattern of office information system is changed from C/S (Client/Server) structure to B/S structure with 3-tier (Brower/Web Server/DB Server). In B/S mode clients only need operating system and browser, and the server can complete all the developments and maintenances of the applications.With the widely using and development of Enterprise Office Information Systems, people look more important upon the security of system gradually. Access control technology is the key factor of solving security problems. At present most of Enterprise Information Systems adopt traditional methods including Discretionary Access Control (DAC) and Mandatory Access Control (MAC), which have some deficiencies. This paper theoretically and practically studies Role-based Access Control (RBAC) in Enterprise Information Systems.The author analyzed RBAC concept model, compares it with traditional access control scheme, and demonstrated the advantages and uses of implement RBAC in Enterprise Information Systems.And then discussed the common RBAC model, the extended RBAC model and the RBAC in Web. According the RBAC/Web model, designed the scheme of RBAC implement, which includes dividing roles, assigning permissions and RBAC administration.Summarized the specialties and advantages of RBAC in Enterprise Information Systems. Finally, took examples of "Office Information System for Road Managing Ministry in Huangshi City", and specifically expound the course of analyzing, designing and implementing RBAC scheme in Enterprise Information System. It also demonstrated that the scheme is feasible in Enterprise Information Systems.
由于Internet具有标准化、开放性、分布式等众多优点,使人们在开发办公系统时,由传统的C/S体系结构转向高性能的Browser/Web Server/DB Server三层体系的B/S结构。在B/S模式中,只需在客户端装上操作系统、浏览器,在服务器上,可以集中所有的应用软件的开发、维护等复杂工作,极大地提高了系统的开发和维护效率。
随着企业办公信息系统的广泛使用,系统安全问题受到越来越多的关注,而访问控制技术是解决安全问题的关键。目前我国大部分企业均采用传统的访问控制技术,自主访问控制技术(DAC,Discretionary Access Control)和强制访问控制技术(MAC,Mandatory Access Control),均存在一定弊端,有其局限性。本文对企业信息系统中采用基于角色的安全访问控制(RBAC,Role-Based Access Control)技术进行了理论研究和实践探讨。
本文从理论上研究了RBAC的概念模型,并与传统的安全访问控制相比较,论证了在企业办公信息系统中采用RBAC的优势和作用。从企业安全需求的角度出发,讨论了RBAC通用模型、扩展模型及RBAC在Web上的布署方案。根据RBAC/Web模型,作者在分析企业办公信息系统的安全需求和组织特点的基础上,制定了企业办公信息系统RBAC的实现方案,对角色划分、权限分配、RBAC管理进行了方案设计,并论述了方案的特点和优势。最后作者以《黄石市公路办公信息系统》为例,具体阐述了该系统基于角色的安全访问控制方案的实现,论证了设计方案在企业办公信息系统中的可行性。
Along with the rapid development of information technology and the expedite step of our country's information progress, it is necessary for whether a government or business enterprise to realize office automation to improve the work efficiency and fasten information transmit speed. OA (Office Automaiton) is the new office way that is combined with the function of modern office and network. The employees could be stride over the time and space limits and realize cooperative work.Because of standard, opening and distributed characteristics of Internet, the develop pattern of office information system is changed from C/S (Client/Server) structure to B/S structure with 3-tier (Brower/Web Server/DB Server). In B/S mode clients only need operating system and browser, and the server can complete all the developments and maintenances of the applications.With the widely using and development of Enterprise Office Information Systems, people look more important upon the security of system gradually. Access control technology is the key factor of solving security problems. At present most of Enterprise Information Systems adopt traditional methods including Discretionary Access Control (DAC) and Mandatory Access Control (MAC), which have some deficiencies. This paper theoretically and practically studies Role-based Access Control (RBAC) in Enterprise Information Systems.The author analyzed RBAC concept model, compares it with traditional access control scheme, and demonstrated the advantages and uses of implement RBAC in Enterprise Information Systems.And then discussed the common RBAC model, the extended RBAC model and the RBAC in Web. According the RBAC/Web model, designed the scheme of RBAC implement, which includes dividing roles, assigning permissions and RBAC administration.Summarized the specialties and advantages of RBAC in Enterprise Information Systems. Finally, took examples of "Office Information System for Road Managing Ministry in Huangshi City", and specifically expound the course of analyzing, designing and implementing RBAC scheme in Enterprise Information System. It also demonstrated that the scheme is feasible in Enterprise Information Systems.
引文
[1] 柯宏力.Intranet信息网络技术与企业信息化.北京邮电大学出版社.2000.11
[2] 张旭梅.企业信息化之路丛书—企业信息化工程.北京:科学出版社,2003.7
[3] 潘家轺,吴年宇,陈启申,张国庆等.企业信息化:原理、规划、实施与案例.中国电子音像出版社,2003.4
[4] IT业界名词解释:办公自动化.http://www.oaunion.com/oaunion/oaunion.nsf/doc/70436F4ACBB5A73348256FF20020DB49?opendocument.2005.4
[5] OA管理核心的转变:知识管理.http://www.oaunion.com/oaunion/oaunion.nsf/doc/00961DCA825044E94825700B00461AC8?opendocument. 2005.5
[6] 吴庆海.OA市场发展新趋势.http://www.e-gov.org.cn/qiyedongtai/qiyexinwen/200603/20315.html. 2006.3
[7] 张世永.网络安全原理与应用技术.北京:科学出版社,2003,5:193-205
[8] 冯登国.网络安全原理与技术,北京:科学出版社,2003,9:92-106
[9] 肖军模,刘军,周海刚.网络信息安全.北京:机械工业出版社,2003,8:27-53
[10] Information processing system—Open Systems Interconnection—Basic Reference Model—Part2: Security architecture
[11] DoD Trusted Computer System Evaluation Criteria (Orange Book), 1985.12
[12] Trusted Network Interpretation of the TCSEC (TNI)(Red Book), 1987.7
[13] 李海泉.计算机系统安全技术.人民邮电出版社.2001.9
[14] 张世永.网络安全原理与应用.科学出版社.2003.5
[15] 毛碧波,孙玉芳.角色访问控制.计算机科学.2003,30(1)
[16] Ferraiolo D, Kuhn R. Role Based Access Controls. the 15th NIST-NCSC National Computer Security Conference. Baltimore, 1992
[17] Ferraiolo D, Sandhu R. NIST Standard for Role-based Access Control. ACM Transaction on Information and System Security. 2001, 4(3): 224-274
[18] 曹天杰,张永平.基于角色访问控制的总体设计.计算机应用与软件,2001(8)
[19] 曾明,陈立定.基于树型角色的访问控制策略及其实现.华南理工大学学报.2004,32(9)
[20] Ravi S Sandhu, et.al. Role-based Access Control Models. IEEE Computer, 1996, V29(2): 38-47
[21] 蔡管.基于角色的多层应用系统安全控制.计算机工程与应用.2001,37(14)
[22] 余文森,张正球,章志明,余敏.基于角色的访问控制模型中私有权限问题的研究.计算机应用研究,2004(4)
[23] 吕宜洪,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析.北京理工大学学报,2002(5)
[24] 乔颖,须德,戴国忠.一种基于角色访问控制(RBAC)的新模型及其实现机制.计算机研究与发展,2000(1)
[25] 吕宜洪,宋瀚涛,龚圆明.一个改进的角色层次化关系模型及其应用.计算机工程与应用,2003(5)
[26] Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-based Administration of Roles. Transactions on Information and System Security. 1999, 2(1)
[27] 翟征德,李大兴.RBAC/Web的一种实现方案.计算机工程与应用,2003(33)
[28] 王宏健,王辉,邵佩英.在Web上实现基于角色的访问控制的一种方法.计算机工程与应用,2001(18)
[29] 查义国,徐小岩,张毓森.在Web上实现基于角色的访问控制.计算机研究与发展,2002(3)
[30] 陈南平,陈传波,方亮,张立峰.利用RBAC机制实现WWW环境中的安全访问控制.华中科技大学学报(自然科学版),2002(10)
[31] 许春根,江于,严悍.基于角色访问控制的动态建模.计算机工程,2002(1)
[32] 马小双.OA设计的六大原则.http://www.xinxihua.cn/OA/2005-11/40445.htm.2005.11
[33] (美)Stephen Walther. ASP.NET技术内幕.机械工业出版社.2002.8
[34] Christian Nagel. Enterprise Services with the .NET Framework: Developing Distributed Business Solutions with .NET Enterprise Services.Addison Wesley Professional. 2006
[35] Harvey M.Deitel, Paul J.Deitel, Sean E.Santry. Advanced Java 2 platform how to program.北京:电子工业出版社,2003
[36] Marc Loy, Robert.Eckstein. Java Swing.北京:清华大学出版社,2001
[37] Distributed application development for three-tier architectures: Microsoft on Windows DNA.IEEE Internet Computing, 1998.2
[38] 叶锡君,许勇,吴国新.基于角色的访问控制在Web中的实现技术.计算机工程,2002(1)
[39] 胡艳,戴英侠,卢震宇,连一峰.基于RBAC模型的认证和访问控制系统.计算 机工程,2002(10)
[40] 宋磊,杨学良.适用于我国电子政务系统的访问控制策略.计算机工程与科学,2003(02)
[41] 杨亚平,李伟琴,刘怀宇.基于角色的细粒度访问控制系统的研究与实现.北京航空航天大学学报,2001(2)
[42] 洪帆,韩兰胜.基于角色访问控制的办公自动化系统.华中科技大学学报(自然科学版),2002(6)
[43] 樊成勇,殷贤亮,段素娟.B/S系统中访问控制机制的设计与实现.计算机安全,2003(4)
[2] 张旭梅.企业信息化之路丛书—企业信息化工程.北京:科学出版社,2003.7
[3] 潘家轺,吴年宇,陈启申,张国庆等.企业信息化:原理、规划、实施与案例.中国电子音像出版社,2003.4
[4] IT业界名词解释:办公自动化.http://www.oaunion.com/oaunion/oaunion.nsf/doc/70436F4ACBB5A73348256FF20020DB49?opendocument.2005.4
[5] OA管理核心的转变:知识管理.http://www.oaunion.com/oaunion/oaunion.nsf/doc/00961DCA825044E94825700B00461AC8?opendocument. 2005.5
[6] 吴庆海.OA市场发展新趋势.http://www.e-gov.org.cn/qiyedongtai/qiyexinwen/200603/20315.html. 2006.3
[7] 张世永.网络安全原理与应用技术.北京:科学出版社,2003,5:193-205
[8] 冯登国.网络安全原理与技术,北京:科学出版社,2003,9:92-106
[9] 肖军模,刘军,周海刚.网络信息安全.北京:机械工业出版社,2003,8:27-53
[10] Information processing system—Open Systems Interconnection—Basic Reference Model—Part2: Security architecture
[11] DoD Trusted Computer System Evaluation Criteria (Orange Book), 1985.12
[12] Trusted Network Interpretation of the TCSEC (TNI)(Red Book), 1987.7
[13] 李海泉.计算机系统安全技术.人民邮电出版社.2001.9
[14] 张世永.网络安全原理与应用.科学出版社.2003.5
[15] 毛碧波,孙玉芳.角色访问控制.计算机科学.2003,30(1)
[16] Ferraiolo D, Kuhn R. Role Based Access Controls. the 15th NIST-NCSC National Computer Security Conference. Baltimore, 1992
[17] Ferraiolo D, Sandhu R. NIST Standard for Role-based Access Control. ACM Transaction on Information and System Security. 2001, 4(3): 224-274
[18] 曹天杰,张永平.基于角色访问控制的总体设计.计算机应用与软件,2001(8)
[19] 曾明,陈立定.基于树型角色的访问控制策略及其实现.华南理工大学学报.2004,32(9)
[20] Ravi S Sandhu, et.al. Role-based Access Control Models. IEEE Computer, 1996, V29(2): 38-47
[21] 蔡管.基于角色的多层应用系统安全控制.计算机工程与应用.2001,37(14)
[22] 余文森,张正球,章志明,余敏.基于角色的访问控制模型中私有权限问题的研究.计算机应用研究,2004(4)
[23] 吕宜洪,宋瀚涛,龚元明.基于RBAC改进模型的角色权限及层次关系分析.北京理工大学学报,2002(5)
[24] 乔颖,须德,戴国忠.一种基于角色访问控制(RBAC)的新模型及其实现机制.计算机研究与发展,2000(1)
[25] 吕宜洪,宋瀚涛,龚圆明.一个改进的角色层次化关系模型及其应用.计算机工程与应用,2003(5)
[26] Sandhu R, Bhamidipati V, Munawer Q. The ARBAC97 Model for Role-based Administration of Roles. Transactions on Information and System Security. 1999, 2(1)
[27] 翟征德,李大兴.RBAC/Web的一种实现方案.计算机工程与应用,2003(33)
[28] 王宏健,王辉,邵佩英.在Web上实现基于角色的访问控制的一种方法.计算机工程与应用,2001(18)
[29] 查义国,徐小岩,张毓森.在Web上实现基于角色的访问控制.计算机研究与发展,2002(3)
[30] 陈南平,陈传波,方亮,张立峰.利用RBAC机制实现WWW环境中的安全访问控制.华中科技大学学报(自然科学版),2002(10)
[31] 许春根,江于,严悍.基于角色访问控制的动态建模.计算机工程,2002(1)
[32] 马小双.OA设计的六大原则.http://www.xinxihua.cn/OA/2005-11/40445.htm.2005.11
[33] (美)Stephen Walther. ASP.NET技术内幕.机械工业出版社.2002.8
[34] Christian Nagel. Enterprise Services with the .NET Framework: Developing Distributed Business Solutions with .NET Enterprise Services.Addison Wesley Professional. 2006
[35] Harvey M.Deitel, Paul J.Deitel, Sean E.Santry. Advanced Java 2 platform how to program.北京:电子工业出版社,2003
[36] Marc Loy, Robert.Eckstein. Java Swing.北京:清华大学出版社,2001
[37] Distributed application development for three-tier architectures: Microsoft on Windows DNA.IEEE Internet Computing, 1998.2
[38] 叶锡君,许勇,吴国新.基于角色的访问控制在Web中的实现技术.计算机工程,2002(1)
[39] 胡艳,戴英侠,卢震宇,连一峰.基于RBAC模型的认证和访问控制系统.计算 机工程,2002(10)
[40] 宋磊,杨学良.适用于我国电子政务系统的访问控制策略.计算机工程与科学,2003(02)
[41] 杨亚平,李伟琴,刘怀宇.基于角色的细粒度访问控制系统的研究与实现.北京航空航天大学学报,2001(2)
[42] 洪帆,韩兰胜.基于角色访问控制的办公自动化系统.华中科技大学学报(自然科学版),2002(6)
[43] 樊成勇,殷贤亮,段素娟.B/S系统中访问控制机制的设计与实现.计算机安全,2003(4)
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |