| With the rapid development of digitization and information technology, we havestridden forward to the information age comprehensively, and information technologyproducts can be seen everywhere in our production and living. Because of providingnetwork information Services easily, B/S applications are widely used in onlinebanking, network education, cooperative office, and so on. However, it is notabsolutely safe in the process of these Web applications, and the security issues fromthe network、systems and Web applications themselves are emerging in endlessly.Especially for B/S applications, the security issues are more prominent. AccessControl, as one aspect of security control, is indispensable in B/S applications, so,robust access control feature is the goal what we are ready to do our best.Being specific to problems of insufficient access control capabilities of URLaddress request, methods in the service layer, system page navigation, andinconvenient management due to tight coupling of business logic and access controllogic, in this paper, a study is carried on this.First, a research of access control theory and technology is carried on. Throughanalyzing concepts and strategy needs of access control, and characteristics and scopeof traditional access control, this study focuses on role-based access control modelwhich is more suitable for B/S applications and can effectively reduce the rightsmanagement complexity and improve management flexibility, and choose it as thebasic model when implementing access control framework in this paper.Secondly, based on RBAC access control and the design ideas of Spring Securityin authentication and authorization through the filter chain, this paper improves onthis, design and implement a access control framework for B/S applications based onSSH framework. On right management, this framework extends the authentication and authorization modules of Spring Security. By defining interface implementationclasses, designing operation interfaces of user-role-resource management,dynamically constructing resource access control list, using Spring AOP technologyand access control method of bit operation, it realizes custom data tables, dynamicmanagement of user、role and resource, access control to URL、methods in the servicelayer and system page navigation, and decouples the business logic and access controllogic.Finally, the right management framework is applied to a B/S application based onSSH framework. After testing, it is found that this framework realizes the dynamicmanagement of user-role-resource, and effectively reduces the rights managementcomplexity, at the same time, plays an effective control on authentication andauthorization. |
PDF Full Text Request