Web service controling mechanism based on PKI and PMI
Technical field
The present invention relates to the Web service security fields, is a kind of Web service controling mechanism based on PKI and PMI that is used to Web service that authentication and control of authority are provided.
Background technology
PKI (Public Key Infrastructure) is a kind of key management platform, and it can provide needed key of cryptographic service and certificate managements such as encryption and digital signature.Utilize digital signature technology, PKI can provide following four kinds of main services: the one, and authentication confirms that to an entity another entity is himself really; The 2nd, integrality guarantees that to an entity data are had a mind to or modification unintentionally; The 3rd, confidentiality guarantees except the recipient that to an entity nobody can understand the key component of data; The 4th, non repudiation confirms that to an entity this operation is that another entity is finished.
PMI (Privilege Management Infrastructure) is a kind of control of authority management platform, it verifies user's identity based on the PKI system, the use attribute certificate is preserved user's access rights, and can prove that what resource the user can visit and can do what operation to this resource.
Web service (Web Service) is that a kind of design is used for being supported on the network software systems of interoperability between the machine and machine.In essence, Web service is exactly the addressable network AP I of a cover, and it calls, and to carry out be on the remote system that the request service is being provided.
Existing Web service security solution based on HTTPS can't provide strong authentication and control of authority, and for e-commerce and e-government, is absolutely necessary at these 2.
Summary of the invention
Technical problem to be solved by this invention provides a kind of Web service controling mechanism based on PKI and PMI, it calls for Web service a complete strong authentication of cover and an authority control system is provided, and has guaranteed confidentiality, integrality and the non-repudiation of Web service message call.
The present invention addresses the above problem the technical scheme that is adopted: this controlling mechanism comprises the PKI system, PMI system and Web service safety system, implementation step is: the user is by PKI system application letter of identity, letter of identity according to oneself removes PMI system application Attribute certificate again, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, the Web service safety system helps the legitimacy of PKI systems inspection letter of identity, help PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.
PKI of the present invention system provides the public and private key management for the user, and the user fills the application list, and after being passed through by keeper's audit, the user can download its public and private key, and public key certificate wherein will upload on the Ldap server; The PKI system externally provides all users' public key certificate to download, and can verify the legitimacy of client public key certificate.
PMI of the present invention system provides resource access control, at first the keeper is responsible for defining the resource that needs control and resource type, the operation that can carry out resource, the role and the tactful certificate of different access authority, and tactful certificate is uploaded on the Ldap server; The letter of identity that the user holds the PKI system to be provided enters PMI system application Attribute certificate, treat the keeper examine pass through after, will generate corresponding Attribute certificate, Attribute certificate also will upload on the Ldap server; The PMI system externally provides the resource access control interface, and parameter comprises user's letter of identity, the operation that needs accessed resources and this resource is carried out.
Web Service safety system of the present invention is responsible for the server end that Web service calls and the safety of client, the Web service of calling according to the user, Web Service safety system meeting helping service device end and client are verified the other side's identity mutually, simultaneously server end can determine whether this user has authority to call this Web service according to the configuring condition of the resource access control of PMI system.
The present invention compared with prior art, have following beneficial effect: (1) Web service is under the distributed environment of isomery, relatively more difficult to the client identity authentication authentication, when calling the Web service of an enterprise, this Web service may can go to call the Web service of another enterprise again, how realizing the authentication of Web service under this cross-domain environment, is a problem that must solve; The PKI system can make the computer user need not under the situation of as offered, verify the other side's identity mutually, for the authentication under the Web service provides solution, the Web service authentication model of this controlling mechanism is promptly finished based on PKI, the client and server end all obtains the other side's public key certificate by the PKI system, check the validity of public key certificate by the PKI system, and verify the other side's identity by public key certificate.(2) general Web application all needs to decide open which type of resource according to different users, equally for Web service, its service that provides itself is exactly a resource, not all Web service can both be opened to all users, may be divided at two kinds of paying customer and domestic consumers as the Web service of enterprise-level, and, how to realize that the control of authority of Web Services just becomes a requisite link for the paying customer provides reaction speed faster, higher accuracy and more system resource; The PMI system provides cross-domain unified authority control system for enterprise-level Web uses, it can guarantee the integrality and the unforgeable of authority relevant information, set up the trusting relationship between a plurality of enterprises simultaneously, made things convenient for the Web application access between the multiple enterprises, the Web service control of authority model of this controlling mechanism is promptly finished based on the PMI system, before the server process SOAP of Web service request message, call the interface of PMI, check whether this user has authority to call this Web service, if this authority is arranged, just continue to carry out, otherwise directly return error response message, and need not Web service do any processing.To sum up, this controlling mechanism adopts the technology based on PKI and PMI to provide strong authentication and access control for Web service,
Description of drawings
The flow chart of Fig. 1 for carrying out authentication based on the PKI system.
The flow chart of Fig. 2 for carrying out control of authority based on the PMI system.
Embodiment
Main design philosophy of the present invention is: carry out authentication by PKI, carry out control of authority by PMI, realize the safety that safe Web service is called with this.
Performing step is: the user is by PKI system application letter of identity, letter of identity according to oneself removes PMI system application Attribute certificate again, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, go earlier the legitimacy of PKI systems inspection letter of identity, go PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.
This controlling mechanism comprises: PKI system, PMI system and Web Service safety system.
The PKI system provides public and private key management for the user, and the user fills the application list, comprises organization name, user name, and valid expiration date or the like, after being passed through by keeper's audit, the user can download its public and private key, and public key certificate wherein will upload on the Ldap server.The PKI system externally provides all users' public key certificate to download, and can verify the legitimacy of client public key certificate.
The PMI system provides resource access control, and at first the keeper is responsible for defining the resource that needs control and resource type, the operation that can carry out resource, the role and the tactful certificate of different access authority.The strategy certificate comprises what resource what operation what role can carry out to, and will upload on the Ldap server.The letter of identity that the user holds the PKI system to be provided enters PMI system application Attribute certificate, comprises valid expiration date, applies for which role or the like, treat the keeper examine pass through after, will generate corresponding Attribute certificate, Attribute certificate also will upload on the Ldap server.The PMI system externally provides the resource access control interface, and parameter comprises user's letter of identity, the operation that needs accessed resources and this resource is carried out.
Web Service safety system is responsible for the server end that Web service calls and the safety of client, the Web service of calling according to the user, Web Service safety system meeting helping service device end and client are verified the other side's identity mutually, simultaneously server end can determine whether this user has authority to call this Web service according to the configuring condition of the resource access control of PMI system.
Referring to Fig. 1, the idiographic flow that carries out authentication based on the PKI system is:
(1) user enters the PKI system and fills in the request list, the application letter of identity;
(2) keeper's audit is by certificate request, and the public key certificate with the user uploads on the Ldap server simultaneously;
(3) user enters the PKI system to obtain public and private key right;
(4) user sends SOAP request message expressly, Web Service safety system is used user's encrypted private key request message, obtain the public key certificate of server from the PKI system request message is signed, and the request message of encrypting and signed is sent to server end;
(5) server end obtains after the request message, Web Service safety system is obtained user's public key certificate earlier from the PKI system, message is verified, judge whether request message is distorted and destroyed, private key with server oneself is decrypted request message then, the final request message expressly that obtains;
(6) server is finished after Web service calls, return SOAP response message expressly, Web Service safety system is used the encrypted private key response message of server, uses user's letter of identity that response message is signed, and the response message of encrypting and signed is sent to client;
(7) client is received after the response message of server end, Web Service safety system uses the public key certificate of server that response message is verified, judge whether response message is distorted and destroyed, private key with oneself is decrypted response message then, the final response message expressly that obtains.
Referring to Fig. 2, the idiographic flow that carries out control of authority based on the PMI system is:
(1) keeper will need the Web service of access control to be defined as a resource in the PMI system, and be tactful certificate of this resources definition, make a clear distinction what role and can carry out which operation to this resource, and should upload on the Ldap server by the strategy certificate;
(2) user enters the PMI system, fills in list, and the application Attribute certificate is to show the authority that oneself needs which role;
(3) keeper is responsible for examining user's application information, simultaneously the attribute of user certificate is uploaded on the Ldap server;
(4) user sends the SOAP request message after server end, Web Service safety system is according to user's letter of identity, obtain this attribute of user certificate from the PMI system, from the PMI system, obtain the tactful certificate of the resource of user capture simultaneously, two certificates are mated, whether visit this Web service with authority with the decision user.