Based On The J2ee Web Application Security Framework For Research And Application

Along with the development of the network , lots of applications are altered from the original CS mode into the online BS mode. The appearance of live bookstore, e-shop, online news platform, technological information platform and etc. large scale enterprise applications bring a big problem that the conflict between agility and security. In the face of flexible requirement and huge data resource which need protect, how to solve the problem become more and more prominent. Now the existent security framework based on J2EE has several typical problem: 1 complex security configuration and online update can not be achieved. 2 the kernel authority pattern is too simple, and difficult to make change. 3 Not support fine-granted access control (entity-class access control). Hope to design a general security framework which can be easy to extend, deploy, and can shield the web application roundly.The thesis start with the Java characteristic and standard security mechanism, and proceed step by step to apprehend J2EE security mechanism thoroughly. According to the J2EE kernel hierarchical pattern, binding with the characteristic of J2EE application and architecture, research the security problem on every tier in J2EE. Design and analyze the security strategy for every layer. Based on a MVC-based open source framework, realize the application and expansion of the existing security frame. To design a plug-in security frame, emphasize on aspects of the security such as plug-in, transplantable, easy to deploy, flexible to content to the light enterprise deployment.The design of the security framework emphasize particularly on two typical aspects: the application deployment and the expansion of kernel security model. In virtue of the IoC (Inversion of Control) of Spring framework, then realize the dynamic deployment information loading. Take advantage of AOP(Aspect Oriented Programming) to provide agility for the application, and combine other module-class framework to shield every tier from outside threat or invade. Content to enterprise authority requirement, replace the existing security framework ACL model by RBAC model, and make the authority mechanism of the whole application more flexible. Explore the fine-grained access control based on the object-class security mechanism. Optimize the query and filter the result collection to restrict the access to the entity (row) or property (column), use the design pattern to make secure general classes (especially abstract class) and general interfaces. Then give the J2EE application a omnidirectional security protection.The final aim is to design such a security framework which can follow the diverse requirement and deploy dynamically. The main is deploying security configuration with database and dynamic configuration of fine-granted access control. The application can update the configuration without restarting web server. Reduce the coupling between business service and security, and make the system can be installed just like a plug-in framework to work for various application. And merge agility and security perfectly.