Research And Implementation On Access Control And Security Audit Of Vertical Bussiness Development Platform

With the rapid development of computer technology, a variety of applications in the scientific, society, military and other fields have been widely used. The security issues of application such as authentication, access control and security audit are the core and necessary module for every application system. Portrait of business development platform is the basis for Chinese Academy of Engineering Physics to build other application systems, which includes the vast majority of common security. However, the old version of platform in the same security function module be rarely reused and presents a highly coupled with business modules, result in much changes are required in the development of different business application systems, some even need to redesign the same security module. Upgrading and improving the platform and providing a common security module that contains most of the common function has become a serious problem.To solve these problems and combine with Chinese Academy of Engineering Physics and its affiliate’s actual development needs, the advantages and disadvantages of existing application systems are analyzed, extract the part of security needs for the development platform is extracted, and a middle and small application system for constructing other common security is designed. The system has a good characteristics of scalability and uncoupled with the service module.The system uses B/S architecture and integrates J2EE framework to build a development platform and uses the front-end web framework MiniUI, Spring and Hibernate framework. Browser end software is used for system administrators and users, it includes three functional modules, namely access control, security audit and task scheduling. In the aspect of access control, a fine-grained access role model (FG-RBAC) is proposed. The model improves the control grain in users, roles and permissions respectively based on the actual needs. As a result, a more detailed and more comprehensive access control functions are achieved. For security audit, the system can record the user operation to the system in real-time, make the page configurable dynamically and record security audit information. According to the different audit results, different responses are made. Task scheduling can manage temporary users, temporary roles and audit information. The three main functional blocks can be separated from of the business modules with maximum extent. As a result, different business application can be done by modifying the existing codes small-scale and configuring the page dynamically. Web server uses MVC model and it exchanges data with client through the Servlet in the control level. Database server uses the Oracle lOg with a high safety.In order to verify the effectiveness and correctness of the system, on the basis of the scalability of the system three business modules are directly added to test and verify the functions of access control, security audit and task scheduling. The test results show that the system has good scalability and versatility, configuration flexibility, and operation stable.