Research And Implementation Of Access Control Technology For Multi Domain Environment

SOA is an important means to publish and access network resource, but the network based on SOA is often built on an open and heterogeneous public network, which is easily to be threatened by internal and external causes. In a service oriented environment, access control is a very important part of the security requirement, which includes identity authentication and authorization process. Therefore, it is of great significance to study the access control technology under the service oriented system framework including authentication and authorization. Design and implementation of a cross domain authentication and authorization system becomes very meaningful.This paper first analyzes the requirements of the cross domain identity authentication and authorization system based on the full study of the relevant technology, and makes out an overall framework for cross domain authentication and authorization system.According to the requirement this paper designs and implement an intra-domain identity authentication system. This system based on the public key infrastructure certificate authority, implement the intra-domain login function by using PKI authentication technology. Based on the implementation of intra-domain authentication, this paper achieved the cross-domain authentication by using the two methods of certificate chain and signature token. The certificate chain can connect each domain easily. Each domain can establish a trust relationship by certificate chain verification without building a middle judgement organ. Token authentication give user a token by a successful authentication which providing credentials for subsequence authorization and other operations. At the end of this section, this paper makes a security analysis of the system achieved, which proving the system have a good security in the guarantee of basic function.This paper proposed a dynamic authorization mode based on the existing ABAC model, after which a cross-domain authorization system with attribute mapping and trust relationship management is implemented by analyzing the basic problems of cross domain authorization. Attribute mapping service developed a set of attribute mapping rules, by using the rule will the outer domain user can make his attribute available in visited domain, which is not applicable originally. By this mean, the user from outer domain can be authorized successfully and his private attributes are invisible to others. The trust relationship management quantifies the relationship between the domains as a value to manage the authorization service, by which improved the security of the system. And the trust value can be dynamically adjusted according to the result of authorization.Finally, this paper made the test for the function achieved, which proves the correctness and security of the system designed by the paper.