Based On J2ee Lightweight Framework For Secure Web-based Research And Application

As the development of information construction in the universities, the information security is highly required by the users in campus. In recent years, the J2EE framework is becoming an important technique for the construction of information system in universities. Therefore, the secure access control scheme in J2EE framework is widely emphasized by the researchers and developers. Especially, the Role-Based Access Control (RBAC) technique has played irreplaceable role in the security control of information system in universities. However, the access control techique based on the traditional J2EE framework is not perfect, and the advantages of combining J2EE and RBAC is not sufficiently investigated. Therefore, this thesis will focus on the research of alleviating the overloads of the tranditional J2EE framework. The aim is to improve the technique of secure acess control and develop lightweight secure web architecture for J2EE.This thesis firstly investigated the advantages and disadvatages of the traditional J2EE framework, and found that the primary adavantage was that the EJB (Enterprise Java Bean) made the development of program module more easy, reusable amd portable. The disadvantage was that the heavyweight EJB increased the requirements for the web server. If the complicated EJB API is not used appropriately, the performance of application system may be decreased.Secondly, the security scheme was investiageted, expecially the concepts of J2EE authetication/authorization and the mechanism, advantages and disadvantages of Java Authentication and Authorization Service. We find that a perfect J2EE security facility should provide strong insurance for the secure access control of application systems, and the developers must optimize the J2EE secure acess control during the development of system. Especially, they should optimize the tranditional RBAC model to implement the pluggable and scalable lighweight secure web architecture.Thirdly, based on the previous research, this thesis proposed a scheme of reconstructing the recently popular open source framework (i.e. Struts, Spring and Hibernate), and constructed a novel lightweight web architecture satisfying the traditional theory of J2EE framework, based on the Inversion of Control (IoC)Technology of Spring, Aspect-Orinentd Programming(AOP) Technology of Struts and database management of Hibernate. To ensure the better support for security access control of the lightweight framework, a unified access authentication and authorization sub-system for Single Sign-On is constructed based on Spring Acegi+JA-SIG CAS3.0. In the framework, CAS3.0 is responsible for constructing the authentication module for the Single Sign-On sub-system using data from database, Spring Acegi is used to implement the dynamic fine grain authorization pluggable module. Through combing these two techniques, the application will authenticate the user's identity at the entrance level using the principle of least authority to protect the security of system.Finally, a government affairs openness system in university was developed. In this system, the research of J2EE lightweight secure web architecture was applied and implemented. The designs of database, static bussiness object, security control module and system management module in the background management sub-system are introduced. Through introducing the concept of resource into the traditional RBAC model, a databased-based fine grain RBAC control is implemented. The results of the implementation are also demonstrated in detail.