CN101546261A - Secure web page tag library system supported by multiple strategies - Google Patents
Secure web page tag library system supported by multiple strategies Download PDFInfo
- Publication number
- CN101546261A CN101546261A CN200810197231A CN200810197231A CN101546261A CN 101546261 A CN101546261 A CN 101546261A CN 200810197231 A CN200810197231 A CN 200810197231A CN 200810197231 A CN200810197231 A CN 200810197231A CN 101546261 A CN101546261 A CN 101546261A
- Authority
- CN
- China
- Prior art keywords
- module
- information
- user
- role
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A secure Java Web application page tag library system supported by multiple strategies comprises a secure logging module, a secure context service module, a strategy definition file, a Web secure server subassembly, a Web security responding generator, a secure tag library and a responding page. The secure Java Web application page tag library system can provide various page tags controlled by secure access on a Web page and basically contains expression forms of all page tags in a JSP tag library, thereby providing a set of high-efficiency integral page developing tag library with a secure access control function for developers. The secure Java Web application page tag library supported by multiple strategies can not only accomplish a basic page HTML control component display function but also display visible and available resources of a user according to the own authority of the user after being installed, and the developers need not carrying out extra coding work.
Description
Technical field
The invention belongs to computer information safety technique, be specifically related to a kind of Web page safety label storehouse based on access control, this system is the improvement to existing Web page-tag storehouse, can carry out security control to the various page elements on the Web page, according to the mandate of each website to the user, page elements can demonstrate specific content at user's authority.
Background technology
Continuous development and raising along with software design technology, especially more and more higher at the requirement of the efficient of Web application and development and quick dirigibility, applicating developing technology (RAD, RapidApplication Development) becomes the hot spot technology in actual engineering development field day by day fast.The core concept of RAD is to develop powerful application program by a whole set of reusable assembly.Thereby Visual Basic, PowerBuilder that people know and Dephi etc. have utilized the component reuse thought of RAD to improve the development efficiency of application program widely, make originally complicated loaded down with trivial details user-interface design and data access implementation procedure simplify greatly.
Access control technology also is provided with obstacle for the exploitation of the Web page when improving resource resource security.Originally the page that can directly just can realize with template, script, instruction and the action element of the page shows, to take a lot of time now and develop the steering logic relevant with user right, and the control of authority of Web system often is embodied in the visible and invisible of page elements, available and unavailable, and on the interior visible content of explicit user authority tolerance band.The program code of realizing the control of Web System Privileges often has very strong reusability, and has occupied whole Web system design and the workload of developing nearly 30%.If Web system business process complexity, and functional module is various, and the size of code of control of authority part also can increase thereupon so.And this part code reusability is big, and different Web systems, or code that also can duplicating property on the difference in functionality module of same Web system bring many extra burdens to the developer.
Tradition Web System Privileges control section development process comprises following steps:
(1) shielded resource inventory in the define system.
(2) user in the define system and user group.
(3) according to user and resource, the access control policy in the define system comprises authority and role.
(4) at Web system development page filtrator, or directly page initialization section is encoded, according to of the visit of access control policy limited subscriber to the page.
This part exploitation is relatively independent with the operation flow of system, but existing all exploitations more than repeating of Web system that rights management is arranged.At first, this exploitation has brought repetition, unnecessary workload, the cost of development of the system of increase for designer and program composition personnel.Secondly, brought unnecessary difficulty for the maintenance of system and code.
Nowadays Acegi (Spring Security) project by American I nterface21 company proposed in 2004 has become the security framework that replaces primary Java EE safe programming model under the Spring framework.It supports the given various people's policies of Java EE standard slightly, mainly comprises based on list (FORM) authentication, based on the BASIC authentication, based on summary (DIGEST) authentication, based on X.509 (CLIENT-CERT) authentication.Protection HTTP request, i.e. Web resource; The operational approach of protection service layer can be at any managed POJO; Protection domain object (Domain Instance); Has transmission channel security flexibly, SSL/TSL; Support the contextual long-range propagation of security, transparent propagation; The authentication of Java EE container adapter is provided, supports Tomcat, JBoss, Resin, Jetty etc.But do not provide the fine granularity access control of control level; May run into RBAC in the actual engineering need cooperate with other mechanism, and Acegi lacks the integrated support of strategy.Can not satisfy safe class etc. and force the access control demand, the protection of data resource is mainly depended on protection to the Web page, operational approach or field, still underaction.Safety label only is convenient to provide the collection and the use of Certificate Authority information, removes this not more meanings.
Summary of the invention
The safe Java Web that the object of the present invention is to provide a kind of many strategies to support uses page tag library system, this system can provide the fine granularity access control of control level to the Web page elements, has flexible, the compatible Collective qualification service authentication of authentication mode, component design and the strong characteristics of reusability.
The safe Java Web that many strategies provided by the invention are supported uses page tag library system, and it is characterized in that: this system comprises secure log module, safe context service module, policy definition module, Web security server assembly, Web security response maker and safety label storehouse;
Definition has the safety label that a cover can import in the safety label storehouse in various Java Web webpages;
The secure log module is used to provide support to two kinds of login modes-based on the single domain authentication mode of secure log assembly and the compatibility mode of CAS single-sign-on; The secure log module is responsible for authenticating user identification, is validated user by the user who authenticates; The single-sign-on client deployment that the secure log module is controlled is in the defined policy document of policy definition module of managed resource; The safety certification that visit is subjected to the user of the node managed resource of secure log module controls must pass through the single logging-on server end; The secure log module receives the input of user's username and password, authenticates, and produces authentication result, if authentication is passed through, the secure log module sends to safe context service module with this authentification of user by sign according to the page link of user's request;
The safe context service module is used for the identity information of initialization login user, and according to the policy definition modules configured, at different delegated strategies, generate and store corresponding activation Role Information, level of security and managed control access strategy position identifiers, offer relevant Web security server assembly and use;
The policy definition module is used for the responsible set of rule that defines and manage based on the access control of safety label, carry out the setting and the access of corresponding safety rule by policy definition document to the xml form, this module is responsible for providing the access control rule to the crucial control of the managed page, is used to describe the relation between user, role, authority, safe level and these security elements;
Web security server assembly is used to resolve the safety label in safety label storehouse, the various security attributes of the security configuration dynamic load response page of realizing the secure binding of data and provide according to the safe context service module when the request of customer in response end offer Web security response maker with the component states after controlled;
The status information that Web security response maker provides according to Web security server assembly, what the decision respective page was last presents the interface, is corresponding target identification language format with the format conversion of safety label, for browser returns the unified security response page.
The system of said structure can provide the various page-tag that are subjected to safe access control in the system, basically the form of expression that contains all page-tag of JSP tag library, for the developer provides the full access control function in a cover Jian interior, efficient, complete page development tag library.Native system proposes the complete RAD solution of a cover at safety Java Web application and development, comprise that design realizes one group of reusable security component, being used to encapsulate the user interface that has security attribute shows and data access function, the support of corresponding safe Web tag library is provided simultaneously, and utilize the technology of playing up to realize the standard HTML of security component label is resolved, make it to be applicable to the Web development environment of the overwhelming majority.Provide at security component on the basis of security attribute, utilize XML language definition and describe corresponding security strategy deployment document, support access control (RBAC) simultaneously and force access control (MAC) mechanism based on the role, and expansion support by relational database (RDBMS) definition security strategy is provided, realize that a cover is flexibly easily based on the safe access control realization mechanism of assembly granularity.Particularly, the present invention has following advantage:
(1) support quick application and development: the developer only need using system definition tag name define the required various controls of its page as prefix in the page, do not need to develop extra code modules, just can realize the demand of control level access control.And label uses flexibly, and is portable strong.
(2) control level fine granularity protection: the access control granularity of traditional application system that is to say in general nothing more than module level and page-level, and its policy configurations is generally only formulated the user to the visit of module and the user access rule to the page.Native system can provide the fine granularity control of control level, and it is as seen still invisible, available or unavailable to the active user to define control, and for the active user, control should show addressable resource in which extent of competence.
(3) authentication mode is flexible, compatible Collective qualification service (CAS, Central AuthenticationService) authentication: native system provides polytype authentication mode, the user can select to login in the mode of letter of identity in based on the single domain authentication mode of secure log assembly, also can select to login with username and password.Native system compatible CAS authentication does not simultaneously need the developer to do extra programing work, and a plurality of application systems just can be used the single-sign-on between this tag library realization multisystem.
(4) component design, reusability is strong: the design of native system all is based on the assembly exploitation, and each functional module all independently becomes assembly, and reusability is strong.Each module all provides sufficient API for calling, and can adapt to the developer more easily and carry out secondary development according to demand.
Description of drawings
Fig. 1 is the structural representation of system of the present invention.
Fig. 2 is a system flowchart in the system of the present invention.
Fig. 3 is the structural representation of a kind of embodiment of system of the present invention.
Fig. 4 is a system information storage organization synoptic diagram in the system of the present invention.
Fig. 5 is a user profile data store organisation synoptic diagram in the system of the present invention.
Fig. 6 is the appointment relation data storage organization synoptic diagram that the user organizes the user in the system of the present invention.
Fig. 7 is the appointment relation data storage organization synoptic diagram that the role organizes to the user in the system of the present invention.
Fig. 8 is to the operation information data store organisation synoptic diagram of control in the system of the present invention.
Fig. 9 is the appointment relation data storage organization synoptic diagram that control is operated the role in the system of the present invention.
Embodiment
The present invention is further detailed explanation below in conjunction with accompanying drawing and example.
As shown in Figure 1, the safe Java Web application page tag library system that provides many strategies to support provided by the invention comprises secure log module 100, safe context service module 200, policy definition module 300, Web security server assembly 400, Web security response maker 500 and safety label storehouse 600.
Secure log module 100 provides simultaneously to the support of two kinds of login modes-based on the single domain authentication mode of secure log assembly and the compatibility mode of CAS single-sign-on.Secure log module 100 is responsible for authenticating user identification, is validated user by the user who authenticates; The single-sign-on client deployment that secure log module 100 is controlled is in the policy definition module 300 defined policy document of managed resource; The safety certification that visit is subjected to the user of the node managed resource of secure log module 100 controls must pass through the single logging-on server end.The present invention can adopt different frameworks to realize single-sign-on: the mode of (1) centralized certificate server: set up centralized certificate server and the single-sign-on client deployment can be realized single-sign-on in each resource website.Server end safeguards that overall user name password table is to realize unified certification.(2) user cipher mapping mode: safeguard user's mapping table in single logging-on server, same user is shone upon in the different user name of different resource website, can realize the single-sign-on function.
Secure log module 100 receives the input of user's username and password, authenticate, produce authentication result, if authentication is passed through, secure log module 100 sends to safe context service module 200 with this authentification of user by sign according to the page link of user's request.
The identity information of safe context service module 200 initialization login users, and according to the configuration of policy definition module 300, at different delegated strategies, generate and store corresponding activation Role Information, level of security and managed control access strategy position identifiers, use for relevant Web security server assembly 400.
Policy definition module 300 is responsible for the set of rule of definition and management " based on the access control of safety label ", carry out the setting and the access of corresponding safety rule by policy definition document to the xml form, this module is responsible for providing the access control rule to the crucial control of the managed page, is used to describe the relation between user, role, authority, safe level and these security elements.
Web security server assembly 400 is used to resolve the safety label in safety label storehouse 600, the various security attributes of the security configuration dynamic load response page of realizing the secure binding of data and provide according to safe context service module 200 when the request of customer in response end offer Web security response maker 500 with the component states after controlled.
The status information that Web security response maker 500 provides according to Web security server assembly, what the decision respective page was last presents the interface, with the format conversion of safety label is corresponding target identification language format (as html tag), finally returns the unified security response page for browser.
The total system flow process comprises as shown in Figure 2:
(1) user profile is managed for configuration, its process comprises:
The user describe flow process to as if the administrator, the administrator is managed for configuration the user with authority by the interface that system provides, idiographic flow is as follows:
(1.1) keeper's login module 100 safe in utilization is inputed the user name password.
(1.2) secure log module 100 is provided by the subscriber identity information that provides in log-on message and the policy definition module 300, if authentication is passed through, then obtain this administrator's details (comprising that the user organizes ID etc.) from policy definition module 300 by secure log module 100, and to its open administrator right (can the user right in this keeper's affiliated web site be described and revise), enter step (1.3), otherwise return login failure information, withdraw from flow process.
(1.3) keeper is by policy definition module 300 configure user information (comprising user name, password, website, user place, user's group etc.), and it is kept in the policy definition document of xml form.The keeper is configured and manages by policy definition module 300 pairs of user profile, subscriber group information and site information, and these configurations are deposited to the policy definition document of xml form the most at last.
(2) according to the various security attributes of the configuration dynamic load response page of policy definition module 300, generate the page that the active user finally sees, its process comprises:
Main body is a Web security response maker 500 in the page flow for displaying.The status information that provides according to respective server assembly 400, the format conversion of the safety label that safety label storehouse 600 is provided is corresponding target identification language html format, and the decision respective page is last presents the interface, and idiographic flow is as follows:
(2.1) developer is when the Web application module of various actual engineering demands for security is satisfied in exploitation, the safety label that definition tag library 600 is provided in the page, be provided with by unique safe ID in policy document simultaneously each safety label, define various safety rules based on the control granularity, these safety rules are written into the policy definition document of xml form by policy definition module 300.
(2.2) Web security response maker module 500 is directly resolved safety labels 600 by Web security server assembly 400, realizes the secure binding of data and the various security attributes of the configuration dynamic load response page control of the corresponding safety rule that provides according to policy definition module 300 when the request of customer in response end.
(2.3) status information that provides according to respective server assembly in the Web security server assembly 400 of Web security response maker module 500, what the decision respective page was last presents the interface, with the format conversion of safety label is corresponding target identification language format (as html tag), finally returns the unified security response page for browser.
(3) provide page-tag security attribute customization function to the developer, its process comprises:
(3.1) page-tag security attribute customization flow process to as if the application system development personnel, the developer at first imports tag library the engineering of exploitation, when the exploitation page, in page order element, state this tag library:<%@taglib uri=" taglibURI " prefix=" tagPrefix " %〉with taglib, wherein uri is used for representing the label descriptor, tell how container finds label description document and safety label storehouse 600, prefx is defined in the prefix of using this label in the JSP page.
(3.2) in the page use<prefix:tag attribute=value.../definition has the page elements of access control function, wherein definition has the role of tag access authority in tag attributes.When having only the active user to have in the tag attributes defined role, could visit this label substance.The role is stored in by policy definition module 300 in the policy definition document of xml form user's assignment information, during user to access pages, by the various security attributes of the managed control of Web security server assembly 400 dynamic load response pages.
(3.3) pass through policy definition module 300 defines user and role in the policy definition document of xml form corresponding relation, the native system compatibility is based on role's access control rule and pressure access control rule.The access control right of various control resources is assigned to the user by the role, the access role of definition control in the control property on the page.The benefit of this mode is: if system is huge, and number of users and page control enormous amount, but role's quantity of user is limited, so just can reduce the complexity of defined policy document in the policy definition module 300 dramatically.In the present invention simultaneously, the user can be organized into user's group, defines the role that user's group is had then, and like this, even number of users is huge, but the quantity of user's group is limited, and the appointment relation that the user organizes the role also can be relatively limited.
Specify the concrete formation that the present invention uses each several part in the page tag library system below for example.
As shown in Figure 3, secure log module 100 comprises SIM system information management module 110, subscriber information management module 120, subscriber group information administration module 130 and user authentication module 140.
SIM system information management module 110 provides the interface of configuration-system information for the keeper.The keeper passes through the registration of the realization of the policy information access module 310 in the policy definition module 300 to resource system on controlled SIM system information management module 110, log-on message comprises: the default subscribers login parameters of the login URL of systematic name, system home page URL, system, the access control policy of system and each connector, as shown in Figure 4.Submit the modification information to system to policy information access module 300 after administrator configurations finishes, configuration and modification information that 350 couples of keepers of XML access management module submit to are preserved.
Subscriber information management module 120 makes the keeper can visit and revise the user profile in institute's configured strategy definition document in the policy definition module 300 for the interface that the keeper provides configure user information.Each system manager obtains the system identifier of own system according to the system name in the SIM system information management module 110, and carry out the configuration (promptly disposing the user that all and keeper have same site ID) of this system user information by subscriber information management module 120, and by policy definition module 300 write-in policies definition document according to this system identifier.User profile specific descriptions method is as follows: each user has user ID, password, rank attributes such as (if graded access controls) in the user message table, as shown in Figure 5.The modification of submitting to user message table to policy information access module 310 by subscriber information management module 120 after administrator configurations finishes, wherein mainly comprise user name, user login code etc., configuration and modification information that 350 couples of keepers of XML access module submit to are preserved.
Subscriber group information administration module 130 provides a description the interface of user's group and user's corresponding informance for the keeper.For the system in a certain exploitation, its number of users may be a lot, and access control policy also may be different, but always having many users has identical authority, such as all same level clerks of same section office, the authority in certain system is consistent.Just the user who has identical authority on the same system can be classified as same user's group.Like this, various at system user, under the various situation of page control, it is relatively easy according to user right the user being divided into groups.The advantage of organizing the description user right by the user can also reduce the scale that subscriber policy defines document except the concrete access control policy that description person does not need to understand system.Though a Web system has the URL and the user that can reach in a large number, can be user's group of negligible amounts with user attaching, this just makes resource description become possibility.In the highly organized Web system because most of user has identical access rights, these user profile can be positioned in same user organizes, even the Web system does not have the user that will have identical access rights to be classified as same user's group, even the access control fine size is neither identical to each user's authority, the present invention also can be described each user, has improved the flexibility ratio of system.
The access control right setting that subscriber group information administration module 130 provides according to the keeper, conclusion subscriber group information, and pass through policy information access module 310 with subscriber group information write-in policy definition document.
The keeper is provided with the subscriber group information table according to the access control right of information in SIM system information management module 110 and the subscriber information management module 120 and system.Attribute in the subscriber group information table has: user ID, the user organizes ID etc., as shown in Figure 6.User and user's group satisfy the relation of multi-to-multi, and promptly a user can belong to a plurality of user's groups, and user's group can have a plurality of different users.The modification information that the keeper submits to the subscriber group information table to policy information access module 310 after setting completed, the user that 350 couples of keepers of XML access module submit to organizes setting and modification information is preserved.
Safe context service module 200 comprises user right information initializing module 210, Role Information active module 220 and control access control decision-making module 230.
User right information initializing module 210 is obtained the subscriber group information at active user place according to the user ID that provides in the user authentication module 140 in policy definition module 300 defined policy document, offer role's active module 220.
Role's active module 220 obtains all Role Informations of active user according to active user's subscriber group information in policy definition module 300 defined policy document, and activation all roles that can activate that the active user assigned, further generate and activate Role Information, use for control access control role module 230.
Control access control decision-making module 230 obtains and generates corresponding level of security information and managed control access strategy position identifiers according to active user's activation Role Information in policy definition module 300 defined policy document, use for managed control and safety label.
Policy definition module 300 comprises: policy information access module 310, Role Information administration module 320, user organize role's assignment information module 330, role's page control operation assignment information module 340 and XML access management module 350.
Policy information access module 310 is used for access system information, user profile, subscriber group information, user and user's configuration set information, Role Information, user and organizes role's assignment information and role's page control operation assignment information.
Role Information administration module 320 is for the keeper provides the interface of configuration Role Information, makes the keeper can visit and revise Role Information in 300 configured strategy of policy definition module definition document.The system manager obtains the system identifier of own system according to the system name in the SIM system information management module 110, and carry out the configuration (promptly disposing the user that all and keeper have same site ID) of this system actor information by Role Information administration module 320, and by policy definition module 300 write-in policies definition document according to this system identifier.Role Information specific descriptions method is as follows: each role has role ID, role name, rank attributes such as (if graded access controls) in the Role Information.Administrator configurations finishes rear overhang angle look information description module 320 to the modification information of policy information access module 310 submissions to Role Information, wherein mainly comprise role name, rank etc., configuration and modification information that 350 couples of keepers of XML memory management module submit to are preserved.
The user organizes role's assignment information module 330 and for the keeper provides user's authority is assigned interface, user's authority is assigned to each user's group by role's form, and the role that the user in the same subscriber group passes through to be assigned has the access control right identical to control in the page.The data structure that the user organizes role's assignment information as shown in Figure 7.The keeper describes the back and organizes role's assignment information module 330 is submitted role's appointment that the user is organized to policy information access module 310 modification information by the user, comprise mainly that wherein the user organizes ID, role ID etc., description and modification information that 350 couples of keepers of XML memory management module submit to are preserved.
Role's page control operation assignment information module 340 is assigned interface for the keeper provides to role's authority, and role's authority is mainly reflected on the operating right to control in the page.To the data structure of the operation of control definition as shown in Figure 8.After having defined the various operations on the page control, promptly can be the operating right of role's appointment on control.The data structure of role's page control operation assignment information as shown in Figure 9.Administrator configurations finishes rear overhang angle look page control operation assignment information module 340 to the modification information of policy information access module 310 submissions to the role-security appointment, wherein mainly comprise role ID, page ID, control ID, operation ID etc., configuration and modification information that the 350 couples of keepers of XML memory management module submit to are preserved, and the page control setting after the preservation will be in security attribute load-on module 420 modules of Web security service assembly 400 sets a property as authority and is loaded realization.
The XML memory management module more than 350 pairs information store with the form of XML document.
Web security server assembly 400 comprises: safety label parsing module 410, security attribute load-on module 420 and label data binding module 430.
Safety label parsing module 410 is mainly used to resolve safety label and the attribute that defines on the page.Safety label defines with XML, is referred to as label definition file 610.The server end technology refers to JSP among the present invention, use the non-HTML grammer among the present invention in the html file the inside, and server creates and provide the content of html format on the basis of these codes.When browser or page development instrument such as Dreamweaver etc. detect non-html tag among the present invention, the defined file 610 that the label that provides among the present invention can be provided come comparison they, these files are specified browsers or page development instrument how to read and are shown these labels.
Security attribute load-on module 420 will call label data binding module 430 according to the security attribute that safety label parsing module 410 module parses go out.Comprise the information such as security strategy pattern, accessible role information, minimal security rank and authorization user information that this label uses in the security attribute, can whether assign in the security attribute of this label defined role or have enough safe level according to the active user to show content corresponding.Label data binding module 430 can be come the dynamic binding data according to active user's Role Information and level of security.Same control is dynamic load when moving for different role and the level data that other user provided, such as current list control, when the security attribute of its definition during for certain addressable role that used RBAC strategy and the definition in its role attribute, when having only the active user to assign this role so, system just can could accessed resources tabulate for list control loads this role; When the security attribute of its definition is forced access control policy and defined the minimal level of visit data in its authority levels for using, have only so when user class and reach more than the minimal security rank, system just can load corresponding data for list control, and, make list of controls only demonstrate the data that level of confidentiality is lower than active user's safe level by level of security dynamic binding resource data according to the active user.The final user experiences function of the present invention by label data binding module 430.
The status information that Web security response maker 500 provides according to the respective server assembly is a corresponding target identification language format (as html tag) with the format conversion of safety label, finally returns the unified security response page for browser.Each label produces by relevant assembly.Each assembly all has a security response maker that produces HTML output, with the state of reflection assembly.This process is called as decoding.The unique ID and the currency of the security response maker request framework query expression of page elements object.According to default setting, the ID character string (for example _ id0:_id1 and so on) by the framework assignment.The page behind the coding is sent to browser, and browser shows this page according to common mode.
Many strategies that the present invention proposes are supported safe Java Web to use the importing of page tag library and the back are installed except finishing basic page HTML control Presentation Function, but also can show the resource that this user is visible and available, and do not need the developer to carry out extra coding work according to user's self authority.
The above is preferred embodiment of the present invention, but the present invention should not be confined to the disclosed content of this embodiment and accompanying drawing.So everyly do not break away from the equivalence of finishing under the spirit disclosed in this invention or revise, all fall into the scope of protection of the invention.
Claims (7)
1, the safe Java Web that supports of a kind of many strategies uses page tag library system, it is characterized in that: this system comprises secure log module (100), safe context service module (200), policy definition module (300), Web security server assembly (400), Web security response maker (500) and safety label storehouse (600);
Definition has the safety label that a cover can import in the safety label storehouse (600) in various Java Web webpages;
Secure log module (100) is used to provide support to two kinds of login modes-based on the single domain authentication mode of secure log assembly and the compatibility mode of CAS single-sign-on; Secure log module (100) is responsible for authenticating user identification, is validated user by the user who authenticates; The single-sign-on client deployment that secure log module (100) is controlled is in the defined policy document of policy definition module (300) of managed resource; The safety certification that visit is subjected to the user of the node managed resource of secure log module (100) control must pass through the single logging-on server end; Secure log module (100) receives the input of user's username and password, authenticate, produce authentication result, if authentication is passed through, secure log module (100) sends to safe context service module (200) with this authentification of user by sign according to the page link of user's request;
Safe context service module (200) is used for the identity information of initialization login user, and according to the configuration of policy definition module (300), at different delegated strategies, generate and store corresponding activation Role Information, level of security and managed control access strategy position identifiers, offer relevant Web security server assembly (400) and use;
Policy definition module (300) is used for the responsible set of rule that defines and manage based on the access control of safety label, carry out the setting and the access of corresponding safety rule by policy definition document to the xml form, this module is responsible for providing the access control rule to the crucial control of the managed page, is used to describe the relation between user, role, authority, safe level and these security elements;
Web security server assembly (400) is used to resolve the safety label of safety label storehouse (600), the various security attributes of the security configuration dynamic load response page of realizing the secure binding of data and provide according to safe context service module (200) when the request of customer in response end offer Web security response maker (500) with the component states after controlled;
The status information that Web security response maker (500) provides according to Web security server assembly, what the decision respective page was last presents the interface, with the format conversion of safety label is corresponding target identification language format, for browser returns the unified security response page.
2, the safe Java Web of many strategy supports according to claim 1 uses page tag library system, it is characterized in that:
Web security server assembly (400) comprising: safety label parsing module (410), security attribute load-on module (420) and label data binding module (430);
Safety label parsing module (410) is mainly used to resolve safety label and the attribute that defines on the page;
Security attribute load-on module (420) will call label data binding module (430) according to the security attribute that safety label parsing module (410) module parses goes out;
Label data binding module (430) comes the dynamic binding data to be used for active user's Role Information is carried out the dynamic binding data according to active user's Role Information and level of security.
3, the safe Java Web of many strategy supports according to claim 1 and 2 uses page tag library system, it is characterized in that:
Secure log module (100) comprises SIM system information management module (110), subscriber information management module (120), subscriber group information administration module (130) and user authentication module (140);
SIM system information management module (110) provides the interface of configuration-system information for the keeper; The keeper goes up by the registration of policy definition module (300) realization to resource system in controlled SIM system information management module (110), to policy information access module (300) submission information is revised by system after administrator configurations finishes;
Subscriber information management module (120) makes the keeper can visit and revise the user profile in institute's configured strategy definition document in the policy definition module (300) for the interface that the keeper provides configure user information; After finishing, administrator configurations passes through subscriber information management module (120) to the modification of policy definition module (300) submission to user message table;
Subscriber group information administration module (130) provides a description the interface of user's group and user's corresponding informance for the keeper, and, the subscriber group information write-in policy is defined document by policy definition module (300) according to access control right setting, conclusion subscriber group information that the keeper provides;
User authentication module (140) is compared the information of user's input and the user profile of the middle management of policy definition module (300), if user rs authentication is passed through, then asks safe context service module (200) to obtain the authority information of active user in system.
4, the safe Java Web of many strategy supports according to claim 1 and 2 uses page tag library system, it is characterized in that:
Safety label storehouse (600) comprises label definition file (610) and label standard (620), each tag library file in the label definition file (610) all defines title, type, content model, demonstration standard and the icon of one or more customized label, and the tag library file uses the .xml file extension; Label standard (620) is the bookmark name of XML document definition.
5, the safe Java Web of many strategy supports according to claim 3 uses page tag library system, it is characterized in that:
Safety label storehouse (600) comprises label definition file (610) and label standard (620), each tag library file in the label definition file (610) all defines title, type, content model, demonstration standard and the icon of one or more customized label, and the tag library file uses the .xml file extension; Label standard (620) is the bookmark name of XML document definition.
6, the safe Java Web of many strategy supports according to claim 5 uses page tag library system, it is characterized in that:
Policy definition module (300) comprising: policy information access module (310), Role Information administration module (320), user organize role's assignment information module (330), role's page control operation assignment information module (340) and XML access management module (350);
Policy information access module (310) is used for access system information, user profile, subscriber group information, user and user's configuration set information, Role Information, user and organizes role's assignment information and role's page control operation assignment information;
Role Information administration module (320) is for the keeper provides the interface of configuration Role Information, makes the keeper can visit and revise Role Information in policy definition module (300) the institute configured strategy definition document;
The user organizes role's assignment information module (330) and for the keeper provides user's authority is assigned interface, the keeper describes the back and organizes role's assignment information module (330) to the modification information of policy information access module (310) submission to role's appointment of user's group by the user, and XML memory management module (350) is preserved description and modification information that the keeper submits to;
Role's page control operation assignment information module (340) is assigned interface for the keeper provides to role's authority, administrator configurations finishes rear overhang angle look page control operation assignment information module (340) to the modification information of policy information access module (310) submission to the role-security appointment, XML memory management module (350) is preserved configuration and modification information that the keeper submits to, and the page control setting after the preservation will be in Web security service assembly (400) sets a property as authority and is loaded realization;
XML memory management module (350) is used for the information that receives is stored with the form of XML document.
7, the safe Java Web of many strategy supports according to claim 6 uses page tag library system, it is characterized in that:
Safe context service module (200) comprises user right information initializing module (210), Role Information active module (220) and control access control decision-making module (230);
User right information initializing module (210) is obtained the subscriber group information at active user place according to the user ID that provides in the secure log module (100) in the defined policy document of policy definition module (300), offer role's active module (220);
Role's active module (220) obtains all Role Informations of active user according to active user's subscriber group information in the defined policy document of policy definition module (300), and activation all roles that can activate that the active user assigned, further generate and activate Role Information, use for control access control role module (230);
Control access control decision-making module (230) obtains and generates corresponding level of security information and managed control access strategy position identifiers according to active user's activation Role Information in the defined policy document of policy definition module (300), use for managed control and safety label.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101972310A CN101546261B (en) | 2008-10-10 | 2008-10-10 | Secure web page tag library system supported by multiple strategies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101972310A CN101546261B (en) | 2008-10-10 | 2008-10-10 | Secure web page tag library system supported by multiple strategies |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101546261A true CN101546261A (en) | 2009-09-30 |
| CN101546261B CN101546261B (en) | 2011-07-20 |
Family
ID=41193409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101972310A Expired - Fee Related CN101546261B (en) | 2008-10-10 | 2008-10-10 | Secure web page tag library system supported by multiple strategies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101546261B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102193623A (en) * | 2010-03-11 | 2011-09-21 | 富士施乐株式会社 | Information input assistance device and method |
| CN102347929A (en) * | 2010-07-28 | 2012-02-08 | 阿里巴巴集团控股有限公司 | Verification method of user identity and apparatus thereof |
| CN102456042A (en) * | 2010-10-29 | 2012-05-16 | 金蝶软件(中国)有限公司 | Tab loading method and device as well as communication terminal |
| CN102902916A (en) * | 2012-09-17 | 2013-01-30 | 攀枝花学院 | Authority control method universal for application programs |
| CN102945287A (en) * | 2012-11-29 | 2013-02-27 | 南京睿恒智晟软件科技有限公司 | Java server page (JSP) data automatic paging java standard tag library (JSTL) label technology and application |
| CN103020498A (en) * | 2012-11-19 | 2013-04-03 | 广东亚仿科技股份有限公司 | Intelligent dynamic access control method and system |
| CN103164226A (en) * | 2013-03-15 | 2013-06-19 | 成都三零凯天通信实业有限公司 | Set top box human-computer interface automatic generating method |
| CN103824031A (en) * | 2014-02-28 | 2014-05-28 | 江苏敏捷科技股份有限公司 | Method and system for guaranteeing security of electronic documents by using electronic document security labels |
| CN104462090A (en) * | 2013-09-13 | 2015-03-25 | 方正信息产业控股有限公司 | Method and device for processing data |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN106815303A (en) * | 2016-12-14 | 2017-06-09 | 明博教育科技股份有限公司 | A kind of crumbs navigation implementation method and system based on XML configurations and label |
| CN107045442A (en) * | 2017-03-15 | 2017-08-15 | 武汉斗鱼网络科技有限公司 | The method of controlling switch and system of function button on a kind of Application Program Interface |
| CN107172054A (en) * | 2017-05-26 | 2017-09-15 | 努比亚技术有限公司 | A kind of purview certification method based on CAS, apparatus and system |
| CN107729768A (en) * | 2017-11-03 | 2018-02-23 | 广州视源电子科技股份有限公司 | A kind of page display method, device, Intelligent flat and storage medium |
| CN107925668A (en) * | 2015-07-02 | 2018-04-17 | 康维达无线有限责任公司 | The dynamic authorization frame of resource driving |
| CN108229206A (en) * | 2018-01-09 | 2018-06-29 | 上海中畅数据技术有限公司 | A kind of right management method and system based on tag library |
| CN109344355A (en) * | 2018-09-26 | 2019-02-15 | 北京因特睿软件有限公司 | Automatic returning detection and Block- matching adaptive approach and device for Web evolution |
| CN110427747A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of authentication identifying method and device for supporting service security to mark |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| WO2020135583A1 (en) * | 2018-12-29 | 2020-07-02 | 北京辰安科技股份有限公司 | Access control method for processing front-end page, and device |
| WO2023078078A1 (en) * | 2021-11-08 | 2023-05-11 | Beijing Bytedance Network Technology Co., Ltd. | Unified data security labeling framework |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549155A (en) * | 2003-05-14 | 2004-11-24 | 魏 茹 | Dynamic book for documents demonstration and operation based on web |
| CN101174265A (en) * | 2006-11-04 | 2008-05-07 | 吴风勇 | Method for recording and estimating search action of users |
| CN101188005A (en) * | 2006-11-17 | 2008-05-28 | 李建航 | Label-based Internet advertisement publishing method |
-
2008
- 2008-10-10 CN CN2008101972310A patent/CN101546261B/en not_active Expired - Fee Related
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102193623B (en) * | 2010-03-11 | 2015-07-15 | 富士施乐株式会社 | Information input assistance device and method |
| CN102193623A (en) * | 2010-03-11 | 2011-09-21 | 富士施乐株式会社 | Information input assistance device and method |
| CN102347929A (en) * | 2010-07-28 | 2012-02-08 | 阿里巴巴集团控股有限公司 | Verification method of user identity and apparatus thereof |
| CN102456042A (en) * | 2010-10-29 | 2012-05-16 | 金蝶软件(中国)有限公司 | Tab loading method and device as well as communication terminal |
| CN102902916A (en) * | 2012-09-17 | 2013-01-30 | 攀枝花学院 | Authority control method universal for application programs |
| CN102902916B (en) * | 2012-09-17 | 2015-09-02 | 攀枝花学院 | The authority control method that application program is general |
| CN103020498A (en) * | 2012-11-19 | 2013-04-03 | 广东亚仿科技股份有限公司 | Intelligent dynamic access control method and system |
| CN103020498B (en) * | 2012-11-19 | 2016-06-22 | 广东亚仿科技股份有限公司 | A kind of intelligent dynamic mandatory control method and system |
| CN102945287B (en) * | 2012-11-29 | 2015-09-09 | 南京睿恒智晟软件科技有限公司 | JSP data automatic paging JSTL stamp methods |
| CN102945287A (en) * | 2012-11-29 | 2013-02-27 | 南京睿恒智晟软件科技有限公司 | Java server page (JSP) data automatic paging java standard tag library (JSTL) label technology and application |
| CN103164226A (en) * | 2013-03-15 | 2013-06-19 | 成都三零凯天通信实业有限公司 | Set top box human-computer interface automatic generating method |
| CN103164226B (en) * | 2013-03-15 | 2016-03-02 | 成都三零凯天通信实业有限公司 | A kind of set top box human-computer interface automatic generation method |
| CN104462090A (en) * | 2013-09-13 | 2015-03-25 | 方正信息产业控股有限公司 | Method and device for processing data |
| CN103824031A (en) * | 2014-02-28 | 2014-05-28 | 江苏敏捷科技股份有限公司 | Method and system for guaranteeing security of electronic documents by using electronic document security labels |
| US10893051B2 (en) | 2015-07-02 | 2021-01-12 | Convida Wireless, Llc | Resource-driven dynamic authorization framework |
| US11451555B2 (en) | 2015-07-02 | 2022-09-20 | Convida Wireless, Llc | Resource-driven dynamic authorization framework |
| CN107925668B (en) * | 2015-07-02 | 2021-08-03 | 康维达无线有限责任公司 | Resource-driven dynamic authorization framework |
| CN107925668A (en) * | 2015-07-02 | 2018-04-17 | 康维达无线有限责任公司 | The dynamic authorization frame of resource driving |
| CN105653725A (en) * | 2016-01-22 | 2016-06-08 | 湖南大学 | MYSQL database mandatory access control self-adaptive optimization method based on conditional random fields |
| CN106815303A (en) * | 2016-12-14 | 2017-06-09 | 明博教育科技股份有限公司 | A kind of crumbs navigation implementation method and system based on XML configurations and label |
| CN107045442A (en) * | 2017-03-15 | 2017-08-15 | 武汉斗鱼网络科技有限公司 | The method of controlling switch and system of function button on a kind of Application Program Interface |
| CN107172054B (en) * | 2017-05-26 | 2020-09-22 | 睿智合创(北京)科技有限公司 | Authority authentication method, device and system based on CAS |
| CN107172054A (en) * | 2017-05-26 | 2017-09-15 | 努比亚技术有限公司 | A kind of purview certification method based on CAS, apparatus and system |
| CN107729768A (en) * | 2017-11-03 | 2018-02-23 | 广州视源电子科技股份有限公司 | A kind of page display method, device, Intelligent flat and storage medium |
| CN107729768B (en) * | 2017-11-03 | 2020-12-22 | 广州视源电子科技股份有限公司 | Page display method and device, intelligent panel and storage medium |
| CN108229206B (en) * | 2018-01-09 | 2021-08-24 | 上海中畅数据技术有限公司 | Authority management method and system based on label library |
| CN108229206A (en) * | 2018-01-09 | 2018-06-29 | 上海中畅数据技术有限公司 | A kind of right management method and system based on tag library |
| CN109344355A (en) * | 2018-09-26 | 2019-02-15 | 北京因特睿软件有限公司 | Automatic returning detection and Block- matching adaptive approach and device for Web evolution |
| CN109344355B (en) * | 2018-09-26 | 2022-03-15 | 北京因特睿软件有限公司 | Automatic regression detection and block matching self-adaption method and device for webpage change |
| WO2020135583A1 (en) * | 2018-12-29 | 2020-07-02 | 北京辰安科技股份有限公司 | Access control method for processing front-end page, and device |
| CN110427747A (en) * | 2019-06-20 | 2019-11-08 | 中国科学院信息工程研究所 | A kind of authentication identifying method and device for supporting service security to mark |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN110839014B (en) * | 2019-10-12 | 2022-03-01 | 平安科技(深圳)有限公司 | Authentication method, authentication device, computer equipment and readable storage medium |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| WO2023078078A1 (en) * | 2021-11-08 | 2023-05-11 | Beijing Bytedance Network Technology Co., Ltd. | Unified data security labeling framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101546261B (en) | 2011-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101546261B (en) | Secure web page tag library system supported by multiple strategies | |
| US9256413B2 (en) | Automatic identification of services | |
| US11144333B2 (en) | Service model-oriented software system and operation method thereof | |
| US8140976B2 (en) | Using content aggregation to build administration consoles | |
| CN101127655B (en) | Method and system for integrating existing www systems | |
| US9047462B2 (en) | Computer account management system and realizing method thereof | |
| US7627865B2 (en) | Method and apparatus for accessing instrumentation data from within a managed code environment | |
| CN101547092B (en) | Method and device for data synchronization of multi-application systems for unifying user authentication | |
| CN103324470A (en) | Web system generation method and device | |
| CN101276271A (en) | Method and interceptor system facing to tangent plane programming | |
| CN101388897A (en) | Enterprise portal webpage integration system | |
| CN103761082A (en) | Componential research and development mode and domain driving model combined application development system and platform | |
| CN112149109B (en) | Modularized authority control management method and system | |
| WO2002019102A1 (en) | Web server framework | |
| CN105046146A (en) | Resource access method of Android system | |
| He | Applications deployment on the SaaS platform | |
| CN102902911A (en) | Method for running third-party codes safely in Java virtual computer | |
| CN115865436B (en) | Multi-application multi-page authority management method and device and computer equipment | |
| CN101989197A (en) | System for multiplexing web program permission and method for generating and accessing program | |
| Valkonen | Lessons learned developing a large-scale progressive web application | |
| Nam et al. | An Android Remote Call Vehicle Service for OSGi-Based Unmanned Vehicle Using by a Mobile Device | |
| CN117952070A (en) | Document processing method and related device | |
| Capuano et al. | A Grid Based IMS Learning Design Player: the ELeGI Case Study | |
| Dinesh et al. | Oracle Fusion Middleware Configuration Guide for Oracle Enterprise Repository, 11g Release 1 (11.1. 1.4. 0) E16580-06 | |
| McKeown | Microsoft Azure Essentials Azure Automation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Li Ruixuan Inventor after: Lu Zhengding Inventor after: Liu Bin Inventor after: Ma Xiaopu Inventor after: Li Kai Inventor after: Tang Zhuo Inventor after: Lu Jianfeng Inventor after: Hu Jinwei Inventor before: Li Ruixuan Inventor before: Lu Zhengding Inventor before: Liu Bin Inventor before: Tang Zhuo Inventor before: Lu Jianfeng Inventor before: Hu Jinwei |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: LI RUIXUAN LU ZHENGDING LIU BIN TANG ZHUO LU JIANFENG HU JINWEI TO: LI RUIXUAN LU ZHENGDING LIU BIN MA XIAOPU LI KAI TANG ZHUO LU JIANFENG HU JINWEI |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110720 Termination date: 20121010 |