| With the developement and maturity of the service-oriented architecture(SOA) technology and product, It is becoming the direction of development of the software, An increasing number of enterprises and organizations choose to provide their business in the form of services on the Internet, to facilitate their integration businesses or other user's call, service can be flexibility and openness, it can Integrated well with the original resources. Because of flexible and open, the online service will faced more security issues, how to ensure that authorized users can transparently visit various services and to prevent unauthorized users attacks will be a pressing demand, that is to say, the single-sign on and access control is an important issue in the service-oriented environment.The basic component in the Service-oriented environment is service, a business could constitute of a range of services, an application may contain a series of businesses, in other words, that is to say an application may include many services, In order to ensure that the services be visited with authorization, we often need authentication before visit the service, But an application or a business might contains a lot of services, If every visit to a service require users to input their identity information, it would be inconceivable, This will be very inconvenient to users. To visit the general site are similar to the service-oriented environment in the"Single-Sign on" concept. As the previous single sign, user login only once can visit a number of sites, referring here to visit services, without repeat certificate themselves. To achieve single sign, there are a variety of methods, in this system we use the SAML Token method to achieve the single sign landing in the SOA environment.As the openness of the service, it bringing potential safety problems, anyone can easily find services, However, to ensure that only authorized users can use the service is the problem access control to solve, single-sign on services can know the identity of the user, access control is further to authorized, previous Access Control can be implementated in three methods: Filter, we insert access control codeto the model and use the agents to achieve. Filter is used for the URI, and it is not a good achievement for application. If using Struts, Tapestry, or Tapestry, with a same URL to handle a wide range of tasks was not much surprised, Therefore, its use scope is limited; the second methods is to insert code, Although access control can be achieved. But acess control code is very closely with the application, expanding will be much difficult.the Proxy method use agents in each functional model to achieve access control, although decoupling of the program functions and the access control, but at the view of the role, Proxy specific too many agents, and its difficult to expansion. because of these shortcomings, this paper we combined XACML with AOP to achieve access control, AOP has a conception of aspect,it can separate functional codes and access control codes, Meanwhile it can be achieved in rough way in the container, and have good expansibility and loosely coupled nature.In the secure transmission aspect, we use dissymmetric encryption technology to ensure client flexibility and versatility. Certificates will not be adopted, it only used in access control and target service model which relatively more stable.in the client, each conversation will generate a random dissymmetric key by the client application.public key will be sent to the access control or target service domian during interacting the result return will be encrypted by the public key, to ensure that the information can only be decrypted the client. |
PDF Full Text Request