| With the development and popularization of computer network technology, various enterprises, institutions increasingly rely on the support of information technology. Many kinds of application systems have been served in these enterprises. In these application systems, in general, each of them has its own authentication and authorization module. Users have to login each application system before using it. Furthermore, each application system requires special supervisor to manage and maintain users'permission. Therefore, user login and system management are very complicated. Especially, with the increasing number of application systems, the problem between the complicated login procedure and the complex permission management becomes more and more obvious. Therefore, building a unified permission management system to achieve a unified identity authentication and a centralized management of system permission becomes an urgent task.To solve those problems, a kind of unified permission management system based on digital certificate is successfully designed and implemented by analyzing and researching the authentication technology and access control model. According to the architecture, the authentication and authorization module were separate from the application systrm, and several appliction systems share the single same authentication and authorization management system.In identity authentication, authentication mechanism based on digital certificate has been adopted in this system, which uses the signed and encrypted cookie to track the session between the unified permission server and client browser. At the same time, a multi-domain SSO scheme based on digital certificate is implemented by using redirection in the system. Therefore, users can enter all authorized application system just by logining once.In permission management, the system based on role-based access control model has added time features in permission constraint which makes the system more timeliness and increases the practicability of access control. Meanwhile, a function vector code access control method has been proposed. It can control any specific operation to resources and achieves a finely granular permission control.At present, the system has already been developed and applied to the Ministry of Education electronic authentication system project and has yielded a good application effect in realizing unified identity authentication and unified permission management. |
PDF Full Text Request