The Research Of Cross-domain Access Control

With the improvement of internet and the distributed computing technology, the requirements for shared resources among systems under different domains are more and more strong. People often have to access to resources on the other domain. So the interoperations among systems become more and more important. In the process of the interoperation, these systems are not only service providers but also service consumers of other systems. Therefore, the systems should protect one's own resources and comply with the security rules of other's systems. But in the distributed environment, the security problem can get magnified because of heterogeneous security policy, different authorization mechanism. Therefore, how to configure appropriate access control for supporting interoperation and ensuring system security has become the very important technology.This thesis is focused on solving such problems. We adopt three theoretical models to solve cross-domain authorization. In the first we based on the basis of previous studies and apply a role mapping model, but it is only applicable to solve the interoperation between the RBAC authorization systems, the second one is based on role and group cross mapping, this model solve the security interoperation between ACL and RBAC authorization systems, the last one is abstracted from the above models, it is based on attribute mapping, it can applicable to such authorization mechanisms which is based on subject's attributes.On the basis of this research, we study and develop an access control system which supports cross-aomain authorization. This thesis first introduces the cross-domain mediator system, combined with the above theoretical models and global identity management to realize the cross-domain access control. This system is based on the J2EE platform; it includes Fundamental access control system and cross-domain mediator system. The fundamental access control system provides centralized authorization management and authorization service. The cross-domain mediator system is the bridge of cross-domain authorization; it not only stores global users and global attributes but also provides mapping service for member authorization domain. Based on mediator system this system supports cross-domain authorization via two ways:one is mapping the foreign domain user's attribute to the recognizable attribute, the other is authorizing by the global user and attribute.