基于JAAS的统一身份认证系统研究与实现
摘要
随着网络门户技术的飞速发展,门户中的应用系统越来越多,而每个应用系统往往都有自己的一套用户认证方法,用户管理往往非常困难。为了对用户进行统一的管理,有必要将不同系统的各种认证方法集中到一个框架中,来完成对整个系统用户的身份认证管理,因此,建立统一的身份认证管理系统,对各个应用系统的用户实现统一管理,成为门户信息安全系统建设中的重要环节。
为了解决传统集成系统效率不高,用户信息不能实现跨平台共享,使用复杂等缺点,本文结合JAAS, LDAP和单点登录(SSO)等技术特点,提出了一个基于JAAS的身份认证和授权框架,在此框架上实现的基于JAAS的统一身份认证系统可以较好的解决对身份认证和访问控制的统一管理问题,克服传统的开发模式下身份认证的诸多弊端。首先,系统实现了用户信息的统一管理,保证了数据的完整性,同时避免了各个应用系统的重复开发;其次,系统实现了基于多个应用系统的单点登录,这将极大的方便用户使用,提高系统的易用性。另外,系统采用分布式的LDAP目录信息树结构存储用户和应用信息,对用户认证信息进行有效组织和管理,提供高效安全的目录访问。
总之,基于JAAS的统一身份认证系统是一种较为通用的统一用户身份认证模型,创新之处在于:
1.采用JAVA语言,将统一身份认证模块封装为Web服务,向客户端提供统一的接口,具有通用、跨平台、易扩展以及安全认证可插拔式等优点,有效的实现了应用系统的集成。
2.基于JAAS框架,采用改进的单点登录模型,把原来分散的用户集中管理,通过一次身份验证,自动完成用户对所有授权应用的登录,提高用户登录效率。
3.运用LDAP目录服务器存储用户的信息,对用户认证信息进行有效组织和管理,可以提供高效安全的目录访问,为系统的实现提供了便利的条件。
本文设计的统一身份认证系统已经在河北科技基础条件网络平台上得到了很好的实践和应用,目前运行良好。
Along with the portal rapid development, the application system which the user needs to use more and more, but each application system often has an own set of users authentication and the authorized method, in order to carries on the unification to the user the authentication to manage, therefore has the necessity to concentrate the different system each authentication method to a frame in, also is needs to have to be independent, the high security and the reliable status authentication and the jurisdiction management system, completes to the entire portal user's status authentication and jurisdiction management. Therefore establishes a unified status authentication management system, to each application system user realization unified authentication, the unification management and the unification authorization also becomes in the portal information security system construction the important link.
To solve the problems discussed above, this paper puts forward a universal uniform identity authentication system based on JAAS model with JAAS, LDAP and SSO technologies, and implements the JAAS-SSO component by the model. Uses the frame which this article proposed to be possible the good solution to the status authentication and the access control unification management question. First of all, the system has realize the unified management of user's information, has guaranteed the integrality of the data, avoided the repeated development of each application system at the same time. Secondly, the system has realized the Single Sign On based on the number of applications, which will facilitate the user to use this system, improved the efficiency of using. Moreover, the system uses distributed LDAP directory tree structure to memory authentication information of users and applications for effective organization and management, which provide highly efficient and safe in accessing information.
In short the uniform identity authentication system based on JAAS is a more common user authentication model. Several innovations are the following: First, Using JAVA programming language, the uniform identity authentication module packaged in Web services for the client to provide a unified interface. the platform have many merit such as common, cross-platform, extensible, Pluggable and Security Authentication etc.
Second, Based on JAAS framework, the system adopt SSO model that improved, make the original dispersed users come together to execute unify management, accomplishes automatically logging on, improve using efficiency.
Third, this strategy make use of the catalogues information tree structure of the LDAP distribute type, carry on the valid organization and managements to an information of the customer body and system control information, can provide the efficiently safe catalogue interview.
The design of the system has been practiced and applied on the subject of Hebei science and technology foundation condition network platform, and Running well.
为了解决传统集成系统效率不高,用户信息不能实现跨平台共享,使用复杂等缺点,本文结合JAAS, LDAP和单点登录(SSO)等技术特点,提出了一个基于JAAS的身份认证和授权框架,在此框架上实现的基于JAAS的统一身份认证系统可以较好的解决对身份认证和访问控制的统一管理问题,克服传统的开发模式下身份认证的诸多弊端。首先,系统实现了用户信息的统一管理,保证了数据的完整性,同时避免了各个应用系统的重复开发;其次,系统实现了基于多个应用系统的单点登录,这将极大的方便用户使用,提高系统的易用性。另外,系统采用分布式的LDAP目录信息树结构存储用户和应用信息,对用户认证信息进行有效组织和管理,提供高效安全的目录访问。
总之,基于JAAS的统一身份认证系统是一种较为通用的统一用户身份认证模型,创新之处在于:
1.采用JAVA语言,将统一身份认证模块封装为Web服务,向客户端提供统一的接口,具有通用、跨平台、易扩展以及安全认证可插拔式等优点,有效的实现了应用系统的集成。
2.基于JAAS框架,采用改进的单点登录模型,把原来分散的用户集中管理,通过一次身份验证,自动完成用户对所有授权应用的登录,提高用户登录效率。
3.运用LDAP目录服务器存储用户的信息,对用户认证信息进行有效组织和管理,可以提供高效安全的目录访问,为系统的实现提供了便利的条件。
本文设计的统一身份认证系统已经在河北科技基础条件网络平台上得到了很好的实践和应用,目前运行良好。
Along with the portal rapid development, the application system which the user needs to use more and more, but each application system often has an own set of users authentication and the authorized method, in order to carries on the unification to the user the authentication to manage, therefore has the necessity to concentrate the different system each authentication method to a frame in, also is needs to have to be independent, the high security and the reliable status authentication and the jurisdiction management system, completes to the entire portal user's status authentication and jurisdiction management. Therefore establishes a unified status authentication management system, to each application system user realization unified authentication, the unification management and the unification authorization also becomes in the portal information security system construction the important link.
To solve the problems discussed above, this paper puts forward a universal uniform identity authentication system based on JAAS model with JAAS, LDAP and SSO technologies, and implements the JAAS-SSO component by the model. Uses the frame which this article proposed to be possible the good solution to the status authentication and the access control unification management question. First of all, the system has realize the unified management of user's information, has guaranteed the integrality of the data, avoided the repeated development of each application system at the same time. Secondly, the system has realized the Single Sign On based on the number of applications, which will facilitate the user to use this system, improved the efficiency of using. Moreover, the system uses distributed LDAP directory tree structure to memory authentication information of users and applications for effective organization and management, which provide highly efficient and safe in accessing information.
In short the uniform identity authentication system based on JAAS is a more common user authentication model. Several innovations are the following: First, Using JAVA programming language, the uniform identity authentication module packaged in Web services for the client to provide a unified interface. the platform have many merit such as common, cross-platform, extensible, Pluggable and Security Authentication etc.
Second, Based on JAAS framework, the system adopt SSO model that improved, make the original dispersed users come together to execute unify management, accomplishes automatically logging on, improve using efficiency.
Third, this strategy make use of the catalogues information tree structure of the LDAP distribute type, carry on the valid organization and managements to an information of the customer body and system control information, can provide the efficiently safe catalogue interview.
The design of the system has been practiced and applied on the subject of Hebei science and technology foundation condition network platform, and Running well.
引文
[1] 金胜昔,步俊杰,吉逸. Java2 的安全性新特性及其应用[a]全国第二届 Java技术应用学术会议论文集[C].[S.1.]:[S.n.],1999.
[2] William Stallings. 密码编码学与网络安全:远离与实践.杨明,胥光辉等译(第二版).电子工业出版社,2001,(4):43~57.
[3] 张明. 基于 LDAP 的单点登录技术的研究与实现[D]. 武汉理工大学, 2007.
[4] L. Harn,S. B. Yang.ID-based cryptographic schemes for user identify -cation digital signature, and key distribution.IEEE J Select Areas Common,2003,11,(5):755~764 .
[5] 姜晓静. 基于 XML 统一身份认证技术研究[D],武汉理工大学,2006,04.
[6] 张峰岭. 基于 Java2 的身份认证数字签名和 SSL 实现技术. 现代计算机. 2002, 02 (4):20-22.
[7] 贾克斌,沈波,刘俊千等. 校园网信息系统中内部安全机制的研究. 北京工业大学学报.2000,26(4):29-32.
[8] 张颖江,郑秋华,李腊元. 单次登录技术分析及集中身份认证平台设计[[J].武汉理工大学学报(交通科学与工程版),2004,28(2):240-243.
[9] 林满山,郭荷清. 单点登录技术的现状及发展[[J].计算机应用,2004, 24(6):248-250.
[10] 李晓阳,史伟奇,倪惜珍.基于 SPKM 的单点登录的研究.计算机工程与应用2005.(3):128-201.
[11] 王勇泉. 面向高校门户平台的Single Sign-on应用技术研究. 东北大学学报。2004, 01.
[12] 邓永江,程转流. 一个改进的 Kerberos 认证协议设计与分析. 福建电脑,2006,06.
[13] Wayne Schroeder. "KerberosLDCE, the Secure Shell, and Practical Internet Security". San Diego Supercomputer Center, San Diego, California, U. S.A.http://users.sdsc.edu/~chroede/ssh cug.html.
[14] 贾宗星.单点登录系统的研究与分析[D]. 西安建筑科技大学硕士学位论文,2007.06.
[15] 薛亮.InternetJIntranet 下单点登录的研究与实践.西北大学硕士学位论文,2006.05.
[16] 王敏,吉逸. Java2 环境下身份认证和授权机制的研究.微机发展,2003, 13 (5):40~42.
[17] 舒文曲,蒋念平,张宁. Java 的安全特性分析及安全代码开发[J]计算机工程 , 2002,(09).
[18] 周怀芬.基于 JAAS 的安全认证授权方案的研究与实现[J].天津理工大学学报,2006,22(4):27~29.
[19] 冉春玉,毕建信.墓于 JAAS 技术的 J2EE 安全性应用与研究[J].计算机与数字工程.2006,34(8):70~73.
[20] 刘冬冬. 基于 JAAS 的门户认证与授权系统的应用研究[D].大连海事大学 , 2006
[21] 万军,金静梅. JAAS 的分析和应用[J].计算机时代,2004,(9):60~62.
[22] 何建民,崔耿,李艳,方琴芬; 基于 JAAS 的身份安全认证系统设计与应用. 合肥工业大学学报(自然科学版), 2006 年 11 期.
[23] W. Yeong, T. Howes,S. Kille. Lightweight Directory Access Protocol. RFC1777, 2003,(3):43~46.
[24] M.Wahl,T.Howes,S.Kille.Lightweight Directory Access Protocol (V3).RFC 2251,2001,(12):62~65.
[25] The Lightweight Directory Access Protocol: An Overview. Internet Exchange News,2004,(10):13~18.
[26] T. Howes,M. Smith. The LDAP Application Program Interface. RFC1823 2002,(8):82~86.
[27] 宫力. Java2 平台安全技术一结构、API 设计和实现. 机械工业出版 1999.
[28]http://gceclub.sun.com.cn/NASApp/sme/controller/techsubcatquery?catid=0301 基于 JNDI 的应用程序开发.
[29] 龚力柱.基于 GSS-API 的单点登录系统的研究与实现.西北工业大学硕士学位论文,2006.3.
[30] 谈猛刚. 基于企业门户的应用集成研究.中国科学院软件研究所. 2004,6.
[31] Pankaj Kumar. J2EE Security for Servlets, EJBs, and Web Services[M]. Prentice Hall PTR. 2003.
[32] Cliff Berg .Designing Secure J2EE Applications and Web Services[M]. Prentice Hall PTR. 2003.
[2] William Stallings. 密码编码学与网络安全:远离与实践.杨明,胥光辉等译(第二版).电子工业出版社,2001,(4):43~57.
[3] 张明. 基于 LDAP 的单点登录技术的研究与实现[D]. 武汉理工大学, 2007.
[4] L. Harn,S. B. Yang.ID-based cryptographic schemes for user identify -cation digital signature, and key distribution.IEEE J Select Areas Common,2003,11,(5):755~764 .
[5] 姜晓静. 基于 XML 统一身份认证技术研究[D],武汉理工大学,2006,04.
[6] 张峰岭. 基于 Java2 的身份认证数字签名和 SSL 实现技术. 现代计算机. 2002, 02 (4):20-22.
[7] 贾克斌,沈波,刘俊千等. 校园网信息系统中内部安全机制的研究. 北京工业大学学报.2000,26(4):29-32.
[8] 张颖江,郑秋华,李腊元. 单次登录技术分析及集中身份认证平台设计[[J].武汉理工大学学报(交通科学与工程版),2004,28(2):240-243.
[9] 林满山,郭荷清. 单点登录技术的现状及发展[[J].计算机应用,2004, 24(6):248-250.
[10] 李晓阳,史伟奇,倪惜珍.基于 SPKM 的单点登录的研究.计算机工程与应用2005.(3):128-201.
[11] 王勇泉. 面向高校门户平台的Single Sign-on应用技术研究. 东北大学学报。2004, 01.
[12] 邓永江,程转流. 一个改进的 Kerberos 认证协议设计与分析. 福建电脑,2006,06.
[13] Wayne Schroeder. "KerberosLDCE, the Secure Shell, and Practical Internet Security". San Diego Supercomputer Center, San Diego, California, U. S.A.http://users.sdsc.edu/~chroede/ssh cug.html.
[14] 贾宗星.单点登录系统的研究与分析[D]. 西安建筑科技大学硕士学位论文,2007.06.
[15] 薛亮.InternetJIntranet 下单点登录的研究与实践.西北大学硕士学位论文,2006.05.
[16] 王敏,吉逸. Java2 环境下身份认证和授权机制的研究.微机发展,2003, 13 (5):40~42.
[17] 舒文曲,蒋念平,张宁. Java 的安全特性分析及安全代码开发[J]计算机工程 , 2002,(09).
[18] 周怀芬.基于 JAAS 的安全认证授权方案的研究与实现[J].天津理工大学学报,2006,22(4):27~29.
[19] 冉春玉,毕建信.墓于 JAAS 技术的 J2EE 安全性应用与研究[J].计算机与数字工程.2006,34(8):70~73.
[20] 刘冬冬. 基于 JAAS 的门户认证与授权系统的应用研究[D].大连海事大学 , 2006
[21] 万军,金静梅. JAAS 的分析和应用[J].计算机时代,2004,(9):60~62.
[22] 何建民,崔耿,李艳,方琴芬; 基于 JAAS 的身份安全认证系统设计与应用. 合肥工业大学学报(自然科学版), 2006 年 11 期.
[23] W. Yeong, T. Howes,S. Kille. Lightweight Directory Access Protocol. RFC1777, 2003,(3):43~46.
[24] M.Wahl,T.Howes,S.Kille.Lightweight Directory Access Protocol (V3).RFC 2251,2001,(12):62~65.
[25] The Lightweight Directory Access Protocol: An Overview. Internet Exchange News,2004,(10):13~18.
[26] T. Howes,M. Smith. The LDAP Application Program Interface. RFC1823 2002,(8):82~86.
[27] 宫力. Java2 平台安全技术一结构、API 设计和实现. 机械工业出版 1999.
[28]http://gceclub.sun.com.cn/NASApp/sme/controller/techsubcatquery?catid=0301 基于 JNDI 的应用程序开发.
[29] 龚力柱.基于 GSS-API 的单点登录系统的研究与实现.西北工业大学硕士学位论文,2006.3.
[30] 谈猛刚. 基于企业门户的应用集成研究.中国科学院软件研究所. 2004,6.
[31] Pankaj Kumar. J2EE Security for Servlets, EJBs, and Web Services[M]. Prentice Hall PTR. 2003.
[32] Cliff Berg .Designing Secure J2EE Applications and Web Services[M]. Prentice Hall PTR. 2003.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |