| Filtering into every field of society increasingly and influencing people's daily activities, Internet is becoming one of the hotspots in the realm of network security to build secure Web applications, which like e-government, e-commerce, and so on. And its implementation is of significant practical value and social value.This paper brings forward a set of systematized mechanisms to build secure Web applications which can initiatively defend attack, and stresses that it must strengthen the internal secure mechanism of WWW itself to design and implement the secure Web applications. The traditional technologies, such as firewall and IDS, ensure the safety of Web application in exterior. But in nature, we must start from the security of WWW itself. Specifically, the contributions of this paper are as follows:1) The systematized solutions to design the secure Web applications are provided, which include information security of server, transmission security between server and clients, and valid access to server from clients, etc.2) The techniques of storage encryption according to different information values and page originality identification are to build secure web storage. Based on its importance, pages are encrypted discriminatingly and then stored on server. Thus the system has ability to prevent pages from being downloaded by malice and the sensitive information to be put on the street. At the same time, the page's is be identified to assure its originality, which can prevent the bad influence by unauthorized tampering with pages and avoid hacker placing backdoor's program such as executable scripts without authorization. Furthermore, our system use self-determined developed Web server middleware to realize the originality identification of pages and to decrypt automatically, which are transparent to users.3) Several techniques, such as access control and data encryption, are adopted to build the secure data storage. Access control can assure authorized user to access database and refuse any invalid operations. Encrypted item of record can prevent it from filching and modifying unauthorized.4) Backup and Recovery are used to ensure information security physically in case tragedy or accident happens. All logical safety precautions become insignificant when some unable foreknown baleful accident appear, such as fire, lightning strike, terrorism, and so on. Thus, it is necessary to ensure system security from physical factors.5) SSL and SSH techniques are adopted to implement the secure information transmission. SSL can assure the security of information transmission between server and client. Benefiting from SSH, we can manage the files on server and other resources safely. The information transmitted from server to client can keep secret.6) Classificatory access control strategy based on RBAC are used to get the access safety to server from clients. System classifies users to different roles according to their rights. One can only access specified page match specified role authorization, and can not exceed its authority.7) Log with digital watermark can build secure web audit. Users operations are needed to log strictly in a secure Web application. Furthermore, adding watermark in log records, log's authority, integrity and undeniable features can be assured.8) A feasible security evaluation and implementation scheme is provided. The evaluation and layout of Web application make it stable and secure. With reasonable network topology, appropriate payload, payload balance and high performance Web protocol, the performance of secure Web application can be polished up. It has designed and realized a secure and convenient manager tool, which improves the implementation efficiency of secure Web application. In conclusion, systematized mechanisms mentioned above which can initiatively defend attack is an optimal solution to build secure Web applications. It can be used widely in applications environment of e-government and e-commerce, such as finance industry, negotiable securi... |
