| With the development of our economy, information technologies are widely applied. Network information systems are becoming more powerful and are the nation's key infrastructure. Meanwhile, the problems of information security gradually present themselves. Security in Web application server is a vital issue. This thesis focuses on security framework of J2EE Web application server and its key technologies.Most of software systems provide certain support for customization and configuration of security services; however, it is not enough. Due to varied application requirements and development tendency, it is necessary for Web application server to provide a flexible security mechanism. The thesis introduces a security reference model of web application server, and implements a security framework based on the security reference model. The security framework is made up of four layers: security service interface, security service, security service provider interface and security provider.In addition, the thesis explores some key technologies of the security framework. The security framework provides customized SSL factory class for RMI by using JSSE. Hence, RMI invocation based on SSL Socket contributes to confidentiality and integrality. CSIv2 is a secure interoperation protocol by OMG organization; we've implemented the protocol by portable Interceptor in ORB and provided security service for interoperation. There are a variety of authorization implementations for security in existing systems, which results in that security services can not be reused, extended and replaced. JACC specification is newly added in J2EE1.4, defining the united authorization model. We've implemented an authorization framework based on JACC, and the authorization framework is clearly defined, easy to maintain and extend. In addition, customers can implement their own authorization mechanism to adapt to the specific security requirements.We have integrated the security framework into Web Application Server-OnceAS, developed by Institute of Software, CAS, which conforms to J2EE1.4 specification, therefore, the security requirements of EJB, Servlet and JCAcan be satisfied.
|
PDF Full Text Request