Role-based Access Control (rbac) Web Application

Role-based access control(RBAC) can reduce the complexity and cost of authorization managements compared with traditional access control method.,and the roles can be consistent with the personnel structure in a organization or corporation.RBAC is the best schema to enforce authorization policy on large InternetModeling' and inplementation are the focus and nodus of research on RBAC.In this paper,on the base of referencing RBAC96 and NIST RBAC/Web Model,the author provide a common and standardized method to apply RBAC access policy.In this method,use Relational Database to describe the information of users,roles,permissions,user-role assignment,role-perrnission assignment,role's hierarchy relation,and constraints and so on.The author realize the function of Role-based Access Control by construct a application layer on the Web server of a three-layer architecture.From the relative relation tables of the database,extract the information of role assignment,role hierarchy,permission assignment,dynamic constraints,and then creatively utilize Access Control Mask(ACM) and User Dynamic Constraint Mask(UDCM) to union and filter the permissions that a user apply for according to the roles he possess and dynamic constraint rule.Attach the permission information to the Session to pick out the allowed operation.And we can use the permission information in the session to provide personalized manage interface if the user has administer role.In addition,use MD5 message digest arithmetic to realize the login password encryption ,enforced the arithmetic by introducing a random number, in order to protect password from packet sniffer.In MD5 way,the author also provide encrypted saving of the data of password.Utilize JSP,Servlet,Javascript and Oracle to design the architecture;Client script and server application are integrated together.The advantage of this schema isreasy to understand,highly standardized,flexible,easy and ready to extend,task uniformity,independence from OS platform.It's a valuable reference of improving other implementing method of RBAC such as NIST RBAC/Web model and a good direction for relative application development.