| Because of the continual development of the Internet, Sun Microsystems Corporation put forward J2EE, which has bean a standard. When Java programming language entered the domain of the development of enterprise application, people also made some new demands of security technology. Some international large software companies produced application server which compatible with the J2EE standard. These products provide a complete but also huge, complex security structure. But this security structure has some disadvantages to EJB container, such as too complex, face the risk of leakage of security information and excessive dependence on Web Layer.Aimed at these disadvantages, a new solution was given in this article. The solution was that make a security structure with good expansibility in the EJB container. Based on this thought, JAAS (Java Authentication and Authorization Service) which is a new security technology was deeply researched in this paper. And, some normal authentication models and authorization models were researched, too. In this paper, authorization and access control was equal. JAAS was chose to be the core technology in the security structure. The chosen authentication model was Password-Based model or Certificate-Based model. The chosen authorization model was Role-Based Access Control model.The security structure in EJB container has two modules mainly: one is Authenticator, the other is Authorizationer, because authentication and authorization are the most important functions of a security system. The Authenticator was design and implemented on the base of JAAS framework. The Password-Base authentication module has bean worked out, and the Certification-Base authentication module was to be added. Some classes in the JAAS framework were modified, and some class was added on.The Authorizationer was implemented on the base of RBAC model. Different from normal application servers, which use Declaration-Authorization in the system only, the Authorizationer in this paper uses both Declaration-Authorization and Programming-Authorization.Compared to the security structure in normal application servers, the security structure in this paper, which is implemented in EJB container, has many advantages. That is the security structure in this paper is more concise, is more cohesive, and user's information is not apt to be leakage, and the ways of access control are flexible. However, the security structure also has some disadvantage, such as the function seemed not so powerful, and dependent EJB container completely.The security structure given in this paper, didn't implement the function of audit. That function can be added in next work. And it can be taken in consideration that to extend the functions of Authentication and Authorization.EJB container, security, authentication, authorization, JAAS... |
PDF Full Text Request