| In recent years, with the constant acceleration of the information construction process, a company may deploy many Web application systems in different periods. However, these systems were developed independently with heterogeneous authentication and authorization modules. When accessing the application systems, a user must input his/her account and password many times to be authenticated, which is inconvenience and may cause disclosure of user's account and password. Therefore, the company needs a platform to unified authentication and centralized authorization, once passing identity authentication, the user can access the authorized application resources transparently. Single Sign-On was proposed to meet the demands.Based on the single sign-on requirement of a portal resource management system in a company, with authentication and authorization through the portal system, the user can access the application systems integrated into the portal system. This thesis proposes an improved Kerberos authentication model through the research and analysis of Single Sign-On technology and the detailed analysis of security problems in Kerberos authentication process. By introduction of public key cryptosystem and USBKey two-factor authentication, the improved model solves password guess attack and key storage management problem; the model reduces the dependence of clock synchronization effectively through using random number instead of the timestamp; the model also ensures the security of the ticket by using lightweight ticket.According to the actual demand of the company and based on the improved Kerberos authentication model, this thesis designs a single sign-on system, which mainly has the following functions:①Unified authentication. At first the user finishes two-factor authentication in client through the USBKey, and then uses the digital certificate stored in the USBKey to contact with the central authentication and authorization server for authentication.②Centralized authorization. Through the combination of the service ticket and RBAC, the system can achieve access control.③User management. The administrator of the portal system can manage the user, including the user management, the group management, and the user mapping.④Application system management. The portal system provides the functions of the application system registration, information modification, and deletion. The implementation of the designed system is based on the JavaEE platform. The system issues user's digital certificate and generates public/private keys through the establishment of CA, and then stores the user's certificate and private key in the USBKey, at the same time, the user's certificate is also stored in LDAP server for authentication. Unified authentication is dependent on the interface provided by Web Service. There are two ways for the integration of application system: the one is that to use the proxy and user mapping for the application system which is difficult to be rebuilt, the other one is to call the interface provided by Web Service to unified authentication for the newly developed system.The system meets the requirement of the company very well by testing and running, and it is a good solution for single sign-on. |
PDF Full Text Request