基于任务和角色的工作流系统访问控制模型的研究
摘要
随着计算机网络的广泛使用,互联网领域的迅速发展,现代信息系统的分布性、异构性和自治性特征越来越受研究机构及产业界的关注。系统中信息资源不仅分布在异构的计算机环境中,而且信息源之间的连接也表现出松散的特点,在这种大规模分布式环境中工作流管理系统的安全问题体现的越来越突出。就目前的信息安全技术,本文选择访问控制技术作为网络安全防范和保护的核心技术,提出了一个基于扩展的任务和角色的工作流访问控制系统模型。
首先,本文基于工作流管理系统的安全需求开展了相关的研究工作,介绍了工作流和访问控制技术的概念,将访问控制技术在工作流系统中的应用进行了研究,分析了其中存在的问题。
然后,针对存在的问题给出了基于扩展的任务和角色的访问控制的实现框架,并详细介绍了框架中的各功能模块的实现方法。给出了访问控制在工作流系统中的主要时序。
最后,本文从ETRBAC在系统中的应用入手,用面向对象的方法来设计实现该系统,使系统各个层次相对独立,降低了系统耦合性。另外,为提高代码的复用性,增强系统的灵活性,在系统开发过程中采用了整合Struts、Hibernate和Spring的轻量级J2EE体系架构进行开发设计,使系统的分层更加清晰、程序健壮性进一步得到提高。
With the wide use and rapid development of the Internet, the distribution, heterogeneity and autonomy of the modern information systems attracts more and more attention of research institutions and the industry. Not only are information resources distributed in a heterogeneous computer environment, but the connection between information resources also show the characteristics of loose, safety issues of workflow management system in the large-scale distributed environment become more and more prominent. According to the information security technology currently, this paper selects access control technology as the core technology to prevent and protect the network security and proposes an expanded task-role-based workflow access control system model.
First, this paper focuses on the study of security in workflow management system, introduces the concept of workflow and access control technology, studies the application of the access control technology to workflow system and analyzes the existing problem.
Then, the thesis advances an expanded task-role-based access control framework on the existing problem, describes the realization of all the function models in detail and gives the main sequence of the workflow system.
Finally, this paper starts with the application of ETRBAC, uses object-oriented approach to design the system, makes each layer of the system independent and reduces the system coupling. In addition, in order to improve code reuse and enhance system flexibility, the design of the system adopts Struts, Hibernate and Spring's integrated lightweight J2EE architecture which makes layer clearer and program healthy.
首先,本文基于工作流管理系统的安全需求开展了相关的研究工作,介绍了工作流和访问控制技术的概念,将访问控制技术在工作流系统中的应用进行了研究,分析了其中存在的问题。
然后,针对存在的问题给出了基于扩展的任务和角色的访问控制的实现框架,并详细介绍了框架中的各功能模块的实现方法。给出了访问控制在工作流系统中的主要时序。
最后,本文从ETRBAC在系统中的应用入手,用面向对象的方法来设计实现该系统,使系统各个层次相对独立,降低了系统耦合性。另外,为提高代码的复用性,增强系统的灵活性,在系统开发过程中采用了整合Struts、Hibernate和Spring的轻量级J2EE体系架构进行开发设计,使系统的分层更加清晰、程序健壮性进一步得到提高。
With the wide use and rapid development of the Internet, the distribution, heterogeneity and autonomy of the modern information systems attracts more and more attention of research institutions and the industry. Not only are information resources distributed in a heterogeneous computer environment, but the connection between information resources also show the characteristics of loose, safety issues of workflow management system in the large-scale distributed environment become more and more prominent. According to the information security technology currently, this paper selects access control technology as the core technology to prevent and protect the network security and proposes an expanded task-role-based workflow access control system model.
First, this paper focuses on the study of security in workflow management system, introduces the concept of workflow and access control technology, studies the application of the access control technology to workflow system and analyzes the existing problem.
Then, the thesis advances an expanded task-role-based access control framework on the existing problem, describes the realization of all the function models in detail and gives the main sequence of the workflow system.
Finally, this paper starts with the application of ETRBAC, uses object-oriented approach to design the system, makes each layer of the system independent and reduces the system coupling. In addition, in order to improve code reuse and enhance system flexibility, the design of the system adopts Struts, Hibernate and Spring's integrated lightweight J2EE architecture which makes layer clearer and program healthy.
引文
[1]董巧玉,欧阳显,刘玉树.工作流系统访问控制技术[J] .计算机应用,2003(10):126-128
[2]WFMC TC 1019-1998.Workflow Security Considerations-White Paper
[3]范玉顺.《工作流管理技术基础》[M].清华大学出版社,2001
[4]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,22(6):9-11
[5]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(1):76-82
[6]Ahn G-J,Sandhu R.S,Kang M, Park J.Injecting RBAC to Secure a web-Based Workflow System. Proceedings of the Fifth ACM workshop on Role-Based Access Control,Berlin,2000,1-10
[7]Atluri V, Huang W-K. An Authorization Model for Workflow. Proceedings of the fifth European Symposium on Research in computer Security,Rome,and Lecture Notes in Computer Science,No.1146,Spring-Verlag,1996,44-64
[8]Atluri V,Huang W-K.A Petri Net Based Safety Analysis of Workflow Authorization Models. Journal of Computer Security, 2000, 8:209-240
[9]吴佩莉.基于角色的工作流系统访问控制模型的研究[D].兰州理工大学,2008
[10]欧阳凯,蔡婷,周敬利,王恒青.基于条件时态的角色访问控制模型的继承[J].华中科技大学学报,2008, 36(6)
[11]songFu,Cheng-zhongXu.Coordinated access control with temporal and spatial constraints on mobile execution in coalition environments. Future Generation Computer Systems ,Volume23,Issue 6,July 2007,P. 804-815
[12]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,22(6):9-11
[13]卜建平,饶若楠.一种基于角色的访问控制模型[J].计算机工程,2004,30(14): 193-195
[14]周文斌.基于角色访问控制的工作流管理系统的信息安全研究[D].管理科学与工程同济大学,2007
[15]马亮,顾明.基于角色的工作流系统访问控制模型[J].小型微型计算机系统,2006,2(3)
[16]于万钧,刘大有,刘全等.基于角色的工作流授权约束规格说明[J].计算机集成制造系统,2005,11(9):1312-1318
[17]孙波,赵庆松,孙芳.TRDM-具有时限的基于角色的转授权模型[J].计算机研究与发展,2004,41(7):1104-11
[18]雷鹤林、陈志刚.基于任务的访问控制在审批系统中的应用研究[N].电脑与信息技术,2005.12
[19]洪帆,赵晓斐.基于任务的访问控制模型及其实现[N].华中科技大学学报(自然科学版) 2002,30(01)
[20]Panos Periorellis,Savas Parastatidis. Task-based Access Control for Virtual organizations. 4th International Workshop on Seientific Engineering for Distributed Java Applications (FIDJI2004),2005,38-47
[21]宋善德,刘伟.基于角色-任务的访问控制模型[J].计算机工程与科学,2005(6):4-6.
[22]龙涛,洪帆,刘铭.一种基于任务和角色的计算网格访问控制模型[J].计算机工程,2008,34(4)
[23]姜增虎,陈茂华.基于重复角色和任务优先级的访问控制模型[C].网络安全技术与应用,2007
[24]任侠,谭庆平.基于任务和角色的分布式工作流授权控制模型[J].计算机工程,2006,32(5)
[25]Tao Long,Fan Hong, Lingli Sun. Task-and-role-based access control model for computational grid . Jounal of Chongqing University : English Edition . December 2007
[26]Sejong oh Scog park. Task-role-based access control model [J].Information system,2003,28(6):533-562
[27]YANG Li-qin,WANG Feng-ying.TRBAC rights-refining and access control policy Journal of Shandong University of Technology (Natural Seience Edition),Mar.2007
[28]陈丽萍.工作流系统访问控制模型的研究[D].大连海事大学,2008.03
[29]陈传波,熊飞.基于工作流状态的动态访问控制[J].计算机工程与科学,2005
[30]张彦欲.结合UML和petri net技术的工作流建模的研究[J].微型电脑应用,2008
[31]喻敏,李忠俊.基于Petri网的信息系统建模分析[N].2008中国信息技术与应用学术论坛,2008
[32]Jacques Wainer,Akhil Kumar,Paulo Barthelmess,A formal security model of delegation and revocation in workflow systems.Information Systems,2005,vol11:1-10
[33]张守伟,宋文爱.基于C/S与B/S结合模式的管理信息系统分析[J].信息通信,2007.
[34]Shih-Chien Chou,An-FengLiu,Chien-JungWu, Preventing information leakage within Workflows that exeeute among Competing organizations. The Journal of Systems and Software,2005,Vol(75)109-12
[35]Minhong Wang,Huaiqing Wang,Dongming Xu.The design of intelligent workflow monitoring with agent technology Knowledge-Based Systems,2005,Vol(18):257-26
[36]Sodki Chaari. An Authorization and Access Control Model for Workflow. In IEEE Computer,2004,6(4):141-148
[37]zurMueh, Miehael.Organizational Management in Workflow Applieations. Information Technology and Management Journal.Kluwer Aeademic Publishers,2004:271-29
[38]Egyedi1TM,Loeffen AGAJ. Succession in standardization :grafting XML onto SGML . Computer Standards & Interfaces,2002,24(4):279~290
[39]Chang J M,Dae H P,Song J P,et al.Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration.Computer and Security,2004,23(1):126~136
[40]Wang H J,Cheng H K,Zhao J L,et al.Web services enabled E-market access controlmodel .International Journal of Web Services Research ,2004,1(1):21~40
[41]FerraioloDF,Kuhn D R,Chandramouli R. Role-Based Access Control[M].New York:Artech House,2003
[42]郑文熠,葛玮.WEB工作流的访问控制研究与实现[J].计算机技术与发展,2006.4
[43]李丽萍,何守才.数据库多级安全模型的研究[N].上海第二工业大学学报,2006,23(3):218-222.
[44]张志勇,普杰信.一种扩张的委托授权模型及其面向对象的建模[J].计算机应用与软件,2005,22(9):30-32
[45]张宏.工作流管理系统访问控制的研究[D].山东师范大学,2008,4
[46]刘洋,葛声.一种基于Web服务的分布式工作流系统的研究与实现[J].计算机工程与应用,2003,1.
[47]温昱.软件架构设计[M].北京:电子工业出版社,2007.
[48]埃克尔(Bruce Eckel).Java编程思想[M].机械工业出版社,2007.
[49]Han Lansheng ,Hong Fan ,Asiedu B K. Least Privileges and Role's Inheritance of RBAC .Wuhan University Journal of Natural Sciences,2006,11(1):185~187
[50]S.Santesson,“Internet X.509 public Key Infrastructore: Qualified Certificates profile”, RFC3739,March 2004
[51]Vogels W. Web Services Are Not Distributed Objects .IEEE Internet Computing,2003,7(6): 59~66
[52]Prabhkar S, Pankantis, Jan A,et al.Security and privacy concerns.IEEE Security and Privacy,2003,1(2):33~42
[2]WFMC TC 1019-1998.Workflow Security Considerations-White Paper
[3]范玉顺.《工作流管理技术基础》[M].清华大学出版社,2001
[4]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,22(6):9-11
[5]邓集波,洪帆.基于任务的访问控制模型[J].软件学报,2003,14(1):76-82
[6]Ahn G-J,Sandhu R.S,Kang M, Park J.Injecting RBAC to Secure a web-Based Workflow System. Proceedings of the Fifth ACM workshop on Role-Based Access Control,Berlin,2000,1-10
[7]Atluri V, Huang W-K. An Authorization Model for Workflow. Proceedings of the fifth European Symposium on Research in computer Security,Rome,and Lecture Notes in Computer Science,No.1146,Spring-Verlag,1996,44-64
[8]Atluri V,Huang W-K.A Petri Net Based Safety Analysis of Workflow Authorization Models. Journal of Computer Security, 2000, 8:209-240
[9]吴佩莉.基于角色的工作流系统访问控制模型的研究[D].兰州理工大学,2008
[10]欧阳凯,蔡婷,周敬利,王恒青.基于条件时态的角色访问控制模型的继承[J].华中科技大学学报,2008, 36(6)
[11]songFu,Cheng-zhongXu.Coordinated access control with temporal and spatial constraints on mobile execution in coalition environments. Future Generation Computer Systems ,Volume23,Issue 6,July 2007,P. 804-815
[12]沈海波,洪帆.访问控制模型研究综述[J].计算机应用研究,2005,22(6):9-11
[13]卜建平,饶若楠.一种基于角色的访问控制模型[J].计算机工程,2004,30(14): 193-195
[14]周文斌.基于角色访问控制的工作流管理系统的信息安全研究[D].管理科学与工程同济大学,2007
[15]马亮,顾明.基于角色的工作流系统访问控制模型[J].小型微型计算机系统,2006,2(3)
[16]于万钧,刘大有,刘全等.基于角色的工作流授权约束规格说明[J].计算机集成制造系统,2005,11(9):1312-1318
[17]孙波,赵庆松,孙芳.TRDM-具有时限的基于角色的转授权模型[J].计算机研究与发展,2004,41(7):1104-11
[18]雷鹤林、陈志刚.基于任务的访问控制在审批系统中的应用研究[N].电脑与信息技术,2005.12
[19]洪帆,赵晓斐.基于任务的访问控制模型及其实现[N].华中科技大学学报(自然科学版) 2002,30(01)
[20]Panos Periorellis,Savas Parastatidis. Task-based Access Control for Virtual organizations. 4th International Workshop on Seientific Engineering for Distributed Java Applications (FIDJI2004),2005,38-47
[21]宋善德,刘伟.基于角色-任务的访问控制模型[J].计算机工程与科学,2005(6):4-6.
[22]龙涛,洪帆,刘铭.一种基于任务和角色的计算网格访问控制模型[J].计算机工程,2008,34(4)
[23]姜增虎,陈茂华.基于重复角色和任务优先级的访问控制模型[C].网络安全技术与应用,2007
[24]任侠,谭庆平.基于任务和角色的分布式工作流授权控制模型[J].计算机工程,2006,32(5)
[25]Tao Long,Fan Hong, Lingli Sun. Task-and-role-based access control model for computational grid . Jounal of Chongqing University : English Edition . December 2007
[26]Sejong oh Scog park. Task-role-based access control model [J].Information system,2003,28(6):533-562
[27]YANG Li-qin,WANG Feng-ying.TRBAC rights-refining and access control policy Journal of Shandong University of Technology (Natural Seience Edition),Mar.2007
[28]陈丽萍.工作流系统访问控制模型的研究[D].大连海事大学,2008.03
[29]陈传波,熊飞.基于工作流状态的动态访问控制[J].计算机工程与科学,2005
[30]张彦欲.结合UML和petri net技术的工作流建模的研究[J].微型电脑应用,2008
[31]喻敏,李忠俊.基于Petri网的信息系统建模分析[N].2008中国信息技术与应用学术论坛,2008
[32]Jacques Wainer,Akhil Kumar,Paulo Barthelmess,A formal security model of delegation and revocation in workflow systems.Information Systems,2005,vol11:1-10
[33]张守伟,宋文爱.基于C/S与B/S结合模式的管理信息系统分析[J].信息通信,2007.
[34]Shih-Chien Chou,An-FengLiu,Chien-JungWu, Preventing information leakage within Workflows that exeeute among Competing organizations. The Journal of Systems and Software,2005,Vol(75)109-12
[35]Minhong Wang,Huaiqing Wang,Dongming Xu.The design of intelligent workflow monitoring with agent technology Knowledge-Based Systems,2005,Vol(18):257-26
[36]Sodki Chaari. An Authorization and Access Control Model for Workflow. In IEEE Computer,2004,6(4):141-148
[37]zurMueh, Miehael.Organizational Management in Workflow Applieations. Information Technology and Management Journal.Kluwer Aeademic Publishers,2004:271-29
[38]Egyedi1TM,Loeffen AGAJ. Succession in standardization :grafting XML onto SGML . Computer Standards & Interfaces,2002,24(4):279~290
[39]Chang J M,Dae H P,Song J P,et al.Symmetric RBAC model that takes the separation of duty and role hierarchies into consideration.Computer and Security,2004,23(1):126~136
[40]Wang H J,Cheng H K,Zhao J L,et al.Web services enabled E-market access controlmodel .International Journal of Web Services Research ,2004,1(1):21~40
[41]FerraioloDF,Kuhn D R,Chandramouli R. Role-Based Access Control[M].New York:Artech House,2003
[42]郑文熠,葛玮.WEB工作流的访问控制研究与实现[J].计算机技术与发展,2006.4
[43]李丽萍,何守才.数据库多级安全模型的研究[N].上海第二工业大学学报,2006,23(3):218-222.
[44]张志勇,普杰信.一种扩张的委托授权模型及其面向对象的建模[J].计算机应用与软件,2005,22(9):30-32
[45]张宏.工作流管理系统访问控制的研究[D].山东师范大学,2008,4
[46]刘洋,葛声.一种基于Web服务的分布式工作流系统的研究与实现[J].计算机工程与应用,2003,1.
[47]温昱.软件架构设计[M].北京:电子工业出版社,2007.
[48]埃克尔(Bruce Eckel).Java编程思想[M].机械工业出版社,2007.
[49]Han Lansheng ,Hong Fan ,Asiedu B K. Least Privileges and Role's Inheritance of RBAC .Wuhan University Journal of Natural Sciences,2006,11(1):185~187
[50]S.Santesson,“Internet X.509 public Key Infrastructore: Qualified Certificates profile”, RFC3739,March 2004
[51]Vogels W. Web Services Are Not Distributed Objects .IEEE Internet Computing,2003,7(6): 59~66
[52]Prabhkar S, Pankantis, Jan A,et al.Security and privacy concerns.IEEE Security and Privacy,2003,1(2):33~42
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |