Design And Implementation Of Role-based Authorization And Access Control System

In this paper, theoretical study of existing access control based on attributecertificates to introduce the concept of an object-oriented design of the authorizationand access control systems, this system uses the attribute certificate to describe theroles, resources, operational relationship between to realize the role of the authorizedaccess control, role-based authorization and access control technology to achieve theuser with access to the logic of separation, will convert the user's control on the roleof control, can reduce administrative overhead, so that a more flexible authorizationmanagement, efficient make the process more secure access control .In addition, thesystem can verify the authorization information, access control policy of security,integrity and effectiveness, and has universal application and specific mechanisms forauthorization and access independent.The system uses a unified general framework of the module design, theframework is divided into external control framework, the two parts of the innerworkings of the framework, communication frame work of the framework is dividedinto two parts and operational framework. The framework model is the use of JAVAin the NIO mechanism to achieve a combination of event-driven mechanism formulti-threaded communications framework. Communications framework and theoperational framework for data transfer between the adoption of interface; achievedwhen each module need only configure the general framework and the achievement ofspecific business processes can be Communication framework is the system of publicmodule, it will be the system implementation details of network communicationpackage into a separate module, the module makes the business part without attentionto these details, on the one hand improve the reusability of code, it also reduces thesystem the coupling.Business system, business processing module is part of the system configurationmodule, a preliminary analysis module, the specific transaction processing module ofthree parts. System Configuration module to read the system configurationinformation settings, including business module selection, data flow analysis methods; preliminary analysis module of input data obtained preliminary analysis of specifictypes of transactions, analytical approach to choose depends configuration module,the default for non-treatment; specific transaction module input data forbusiness-related processing, including AEF, ADF, certificate management.Physical deployment of this system consists of five systems constitute,respectively, applications, decision-making system, operation management systemattribute certificate, certificate issuance and management system, LDAP directoryserver. The main components of which application is responsible for receivinguser-initiated AEF resource access request, after the AEF and ADF to communicate,initiate resource requests to the ADF and the ADF to receive the return result. Back toresults-driven application system according to the implementation of access toresources or access denied tips are given. Decision-making system of the maincomponents responsible for receiving AEF ADF access control protocol to send therequest to the judge requesting information analysis, and return to judge the results,the entire communication process to ensure data privacy, integrity, using SSL as asecure means of communication. In addition, ADF provides access to the certificaterepository to obtain certificates and certificates functional analysis to obtain theauthorization policy, the certificate database includes LDAP directory server and theADF local certificate repository. Attribute Certificate Management System PMS isresponsible for providing strategic input for the system administrator interface togenerate a certain attribute certificate management protocol format of XML data.PMS agreement through Attribute Certificate Management System certificate wasissued and the property to communicate with AA to the AA launched certification,release, freeze, thaw, revocation request, from AA to receive the package attributecertificate management protocol request the results. PMS to communicate with theAA, also using SSL as a secure means of communication to ensure data privacy,integrity. MS also need to authorize the administrator to provide the interface tocomplete the authorization policy attribute certificate and the access control policydescription attribute certificates. Entry includes roles, resources, operations, rules andother information in accordance with a certain attribute certificate format specificationfor the XML package for the attribute certificate management protocol modules.Attribute certificate issuing system of AA to issue the certificate for the property,release, freeze, thaw, remove function. AA launched PMS received attributecertificate signing request, basic information certificate ASN1 encoded data field, use the key engine module will encode the data signature, encoding information, signaturealgorithm, signature data sets to make another ASN1 encoding, ultimately consistentwith the format specification attribute certificate attribute certificate.System design process, users on the system partition, the composition of thesystem users and system communication between users, the process ofinteroperability. Users of the system including the application user, applicationadministrator, authority administrator, system administrator. Application users andspecific applications for business-related transactional work. The users need thesystem resources visitor. For specific applications, the establishment of applicationsystem administrator. Application system and application administrators responsiblefor access control policies related to the generation, application systems deployment.Access control policy, including the generation of work roles, resources, operations,and correspondence between the role of operating conditions for resource constraints;applications, including the deployment of application-related roles, resources,operations management, application and authorization subsystem networkconnectivity between the configuration. Application-specific access control policyand licensing strategy submitted by the application of the system administrator toauthorize the administrator. Permissions Administrator authority is responsible for allapplication management and access control strategies, specifically including theauthorization policy attribute certificate generation, issuance, freezing, thawing,remove, and access control policy of issuing attribute certificate. LDAP access to theconfiguration. In the design process, in order to reduce the coupling system, increasesystem scalability, object-oriented approach using a combination of design patternsand design of the system. Extraction system has universal module designed to enablethe module to achieve with the business as much as possible the loose coupling,thereby enhancing the module's reusability and interoperability, thus the system hasnothing to do with the application of the authorization and access mechanism.Achieved in the system implementation phase, in order to improve the demandfor change in the design process exposed the inadequacies of the system is optimized,including the system architecture and technical implementation details of theoptimization, improve the system's efficiency and maintainability. The main functionmodules complete the system implementation, including system configuration module,data processing module, access authorization policy module, the specific transactionprocessing module, the system of the business process design idea and method, given the relationship between the main classes and important interfaces and properties.System operational framework by reading the system configuration module, the localconfiguration information, load the different transaction processing modules whichprototype system composed of various systems. When a client sends a request arrives,the first data processing module is called a preliminary analysis of data, and thenselect the appropriate transaction processing module for data processing, if thetransaction processing module on the LDAP directory server for the operation, thesystem will call the authorization policy Access Modules treatment accordingly.Role-based authorization and access control systems development and businessimprovement is a process of accumulation, only been to optimize the technologyplatform and software framework in order to consolidate the basis for theaccumulation of products and services, thus ensuring system stability, enhance thequality of the system and actively adapt to the changing needs of our customers.