Design And Implementation Of Security Service Of Web Application Server

With the quick development of Electronic Commerce and the enterprise application on the Internet, web application server becomes a hot research area. A web application server is a distributed system that provides runtime-integrated services such as naming service, security service, transaction management, load balancing, fault tolerance etc, for transactional web application. Developers can concentrate on their own business logic rather than be involved in those issues, and then the development and maintenance of application system is simplified. Because security issue has been more and more important in the open network environment, security service plays an important role in the application server and must be supported by it as a basic function. The thesis focuses on security service framework of J2EE application server.First, we introduce a security reference model. J2EE specification only defines security-related requirement and goal, but how to implement is due to developer.In order to guide the development of security service of J2EE application server, we define a security reference model through referring to CORBA security reference model and combining characteristics of J2EE application server.Next, according to security refencence model, we implement security service by using layer-architecture. Through the JAAS and Rights-based access control model, we provide a flexible, configurable and extensible security service framework, which can integrate various kinds of security mechanism and policy. Additionally, because of inherent cross-cutting characteristic of security service, we provide an aspect of security service by using the concept of AOP, thus security-related code scattering and tangling can be avoided, and code reusability is also promoted at the same time.Finally, we have integrated security service into Web Application Server--OnceAS, which is developed by Institute of Software, CAS, and conformed to J2EE specification, and therefore the security requirements of EJB, Servlet and JCA can be satisfied.