| Access control is one of the key theories of information security. Among all the access control mechanisms, Role Based Access Control (RBAC) is the most widely used in the enterprise development market. The standard RBAC includes Core RBAC, Hierarchical RBAC and SoD (Constrained) RBAC. J2EE is the most popular used platform for enterprise development. J2EE's access control mechanisms are mainly built on RBAC. But on the other hand, J2EE's role mechanism is far away different from the standard RBAC. For example, its role is simply a set of permissions. Further more, J2EE's RBAC doesn't support hierarchical relation and SoD relation, and it can not be dynamic managed during the runtime.This paper first took a research on RBAC and J2EE's access control mechanism. We will analysis the difference between J2EE's role mechanism and standard RBAC and then make a detail conclusion of the disadvantage of J2EE's role mechanism. With these results, the paper designed an extended standard RBAC model for J2EE environment. Then, we will implement an extended system, JERS (J2EE Extended RBAC System), which is based on the extended model. The system takes the advantage of some basic J2EE mechanisms and standards, such as JACC (Java Authentication Contract for Container) and JAAS (Java Authentication and Authorization Service), and is independent of deployed applications. The system also makes up some other short points of J2EE's security and is proved an applicable extension system for J2EE's access control. |
PDF Full Text Request