Research And Application Of Role-based Access Control Base On The Platform Of J2EE

To comply with the rapid development of network technology and the Internet, Sun Corporation brings forward the J2EE norm, which has been an industrial standard for enterprise development now. As the Java programming language has been an important part of the development of enterprise application, the security of system has been paid more and more attention to. Access control, an indispensable part of security structure, is one of the keys to solve security problems, and Role-based Access Control (RBAC) becomes the most popular access control model for its agility and facility in authorization management. Nowadays, J2EE is widely used as a platform for enterprise development. Its access control mechanism is mainly based on RBAC, but due to the defects in this mechanism itself, the access control of J2EE platform can not show the advantages of RBAC perfectly.To solve this problem, firstly this thesis took an in-depth research on RBAC model and access control mechanism of J2EE. In RBAC model, users and access permissions are logically separated with roles. In this way, the complexity of authorization management is greatly decreased, and dynamic and complex access control strategy can be easily realized. As a Role-based security mechanism, the access control mechanism of J2EE protects the security of applications with authentication and authorization. JAAS, a scalable framework for authentication and authorization, is a very important technology to implement the access control of J2EE.And then, this thesis did a further analysis on the difference between the access control mechanism of J2EE and RBAC model and also pointed out the disadvantages of J2EE's access control mechanism considering the unique requirement on enterprise application.It does not support the hierarchical and constrained relations between roles, and neither supports the dynamic management in role and permission etc, while the RBAC does.On the basis of the research, the subject brought out a RBAC access control system prototype according to J2EE security standard. This subject also carried out a system under J2EE with technologies such as JAAS. The implementation of the system is separate from any specific application. On the basis of J2EE access control, the system covers some of the shortages of the J2EE access control mechanism with implementing the standard RBAC model. It's easy for the system to realize complex security strategy with a good scalability, portability and versatility. At the end of this thesis, the successful application of prototype system validated its effectiveness and practicability in access control of enterprise application. This thesis will bring useful reference to the application research of the access control technology with J2EE framework.