CN1744599A - JAAS and AspeclJ based group management system authentication and authority method - Google Patents
JAAS and AspeclJ based group management system authentication and authority method Download PDFInfo
- Publication number
- CN1744599A CN1744599A CN 200510044822 CN200510044822A CN1744599A CN 1744599 A CN1744599 A CN 1744599A CN 200510044822 CN200510044822 CN 200510044822 CN 200510044822 A CN200510044822 A CN 200510044822A CN 1744599 A CN1744599 A CN 1744599A
- Authority
- CN
- China
- Prior art keywords
- authentication
- authorization
- logic
- program
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000013475 authorization Methods 0.000 claims abstract description 68
- 230000008878 coupling Effects 0.000 claims description 9
- 238000010168 coupling process Methods 0.000 claims description 9
- 238000005859 coupling reaction Methods 0.000 claims description 9
- 230000002596 correlated effect Effects 0.000 claims description 3
- 230000009849 deactivation Effects 0.000 claims description 3
- 238000013459 approach Methods 0.000 claims description 2
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 238000007689 inspection Methods 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 43
- 230000006870 function Effects 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 239000011800 void material Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000008140 language development Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
In the method, JAAS program separates logic of authentication and authorization from system program. Using AspectJ program compiler interlaces authorization logic with general logic of cluster management system. Using cooperation between JAAS and AspectJ programs implements techniques of authentication and authorization at method level and node level in cluster. The method provides flexible and convenient mechanism to carry out different operations for appointed different users. Separating security logic from management logic of general cluster management system, the method realizes flexible configuration of authentication and authorization. Thus, developing function of general management system is independent from the security mechanism. The invention also solves own security issue of software of management system.
Description
1, technical field
The present invention relates to a kind of Computer Applied Technology, the safe practice in the cluster management specifically, or relate to a kind of method of the cluster management system authentication and authorization based on JAAS and AspectJ.
2, background technology
A group of planes is exactly by high performance network or local area network that one sets of computer system (node) is interconnected, the computer cluster system of the high-performance with single system mapping of formation, high available, enhanced scalability, high performance price ratio.Because it is with respect to the high availability of traditional large-scale computer and the advantage of low price, become a kind of popular trend with group of planes structure supercomputer or superserver.But Network of Workstation is loosely organized, node independence is strong, network connect complicated, and, along with the increase of nodal point number, to a group of planes administer and maintain the more and more difficult of change, increased the TCO of system.
In order to administer and maintain Network of Workstation, popular mode is to build one deck operating system software again to manage a whole group of planes on the operating system of each node computer at present, is referred to as PC cluster or is called cluster management system.Cluster management system is the part of Network of Workstation software, almost is in the top layer of systems soft ware, and it plays managerial role to soft, the hardware of a whole group of planes, for the system manager and the end user of a group of planes provides service.Basic characteristics of Network of Workstation are " whole systems present to the user be the reflection of triangular web ", the control support of management system overall processes such as the planning that cluster management comprises on the single control desk a group of planes for the realization of this target should be provided at, installation, configuration, monitoring, regular maintenance, start and close.Cluster management system should provide multi-functional, the easy use of a cover, extendible practicability management tool, helps the keeper to monitor the operating state of a whole group of planes, guarantees efficient, the stable operation of Network of Workstation.
Because management system can be managed soft, the hardware resource of a whole group of planes, when the management system convenience is provided, also increased the risk of system safety aspect, if there is not the administrative mechanism of user's authentication and authorization, the user of management system is the resource of operating system arbitrarily, brings infringement for the safety of system.The management function of a group of planes is abundant unusually, administration order reaches up to a hundred, while is according to user's requirement, may add new management function at any time, new authentication method, change the authority of different user on different node, these flexibilities that require for management system authentication and mandate are very large challenges.
3, summary of the invention
For the method and the closely-coupled problem of management function that exist in the present cluster management about authentication and authorization, problem for the function weave in of the exploitation of Functions of Management System and authentication and authorization, the personnel of development management function need embed the logic of authentication and authorization in the code of oneself, and because the node of group of planes particularity independently, each administration order has different authority problems on different nodes.At the problems referred to above, the present invention proposes a kind of method based on authentication and authorization in the cluster management system of JAAS and AspectJ with the java language development, this method can be utilized the technical characteristic of JAAS and AspectJ, need in common administration order, not embed the authentication and authorization code, just can implementation method rank and other authentication of node level and access control, realized the service logic of management system and the loose couplings of security logic, simplified the development of Management System complexity, demand for security more flexibly is provided.
Purpose of the present invention is put forward a kind of method based on authentication and authorization in the cluster management system of JAAS (Java Authentication AuthorizationService) and AspectJ, this method can be utilized JAAS and AspectJ characteristic, need in common administration order, not embed the authentication and authorization code, just can implementation method rank and other authentication of node level and access control, realized the service logic of management system and the loose couplings of security logic.
Cooperatively interact by JAAS program and AspectJ program the logic of authentication and authorization is separated from system program, and utilize the configuration file configure user authentication and authorization information of JAAS program, and utilize the AspectJ compiler that the generic logic weave in of authorization logic and cluster management system is carried out authentication and authorization to the user, this method may further comprise the steps:
A, JAAS program are that each node in the Network of Workstation is provided with different identifiers respectively, are that accessed system resource is distinguished by unit with node in the Network of Workstation then;
B, JAAS program are that cluster management system setting user is by name unique by the entity of distinguishing authentication with the user, by the software that calls cluster management system the user are carried out distinguishing authentication;
C, the user authentication information that utilizes the JAAS program and authorization message configurability are separated user's authentication and authorization logic variation from the logic of general management system;
D, utilize the technique of compiling of AspectJ program that authorization check is injected in the general operational approach, utilize node sign, user ID and incision method name information to finish execution scope check incision method.
It is that the resource units sign is distinguished resource that the JAAS program is also utilized the node group of forming with some nodes in the Network of Workstation.
Utilize the configuration file configure user of JAAS program the user to be carried out authentication and authorization in the different management function of different node execution, such as: means such as interpolation/deletion user, start/shutdown, network configuration are carried out authentication and authorization to the user.
Context, node title, method name that the JAAS program utilizes the user to login, inspection different user are carried out the authority of different operating the user are carried out authentication and authorization on different node.
Utilize the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the general-purpose system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic.
The AspectJ program is utilized the programming technique of Aspect Oriented Programming, separate concrete general-purpose system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, removed the coupling of each concrete system management function and Certificate Authority.
4, embodiment
In the method for the invention, utilize the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the general-purpose system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic.
In the method for the invention, the AspectJ program is utilized the programming technique of Aspect Oriented Programming, separate concrete general-purpose system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, removed the coupling of each concrete system management function and Certificate Authority.
Embodiment
1) in advance for each node in the group of planes is provided with different identifiers respectively, can be machine name, IP address etc., note be nodeName;
2) user of management system is with the unique differentiation of user name in the group of planes, and note is userName
3) utilize JAAS, realize the flexible configuration of authentication and authorization, authentication is confirmed whether validated user of user by checking user password; Authorize, confirm whether the user can carry out associative operation; Concrete configuration is as follows:
A, configure user authentication document, the LoginModule class name that the bright login of document is used, such is used to finish user's certification work, and the configuration of this document meets the policy definition file format of JAAS;
As:
MySecurity{
MyLoginModule?required;
};
This configuration file has defined with MyLoginModule and has been responsible for the authenticated user identity, and such can use the method for various authenticated user, goes to check whether the user can be certified.
B, configure user operating right file, form is as follows:
grant?MyPrincipal″User1″
{
permission?NodePermission″nodeName1″;
permission?NodePermission″nodeName2″;
permission?MethodPermission″void?shutDown(String,
LoginContext)″;
permission?MethodPermission″void?addUser(String,LoginContext)″;
};
This document has been realized at different user (as User1) by the strategy file that JAAS provides, on different node (as nodeName1), has been carried out the purpose of different operating (as shutDown).Defined user User1 from strategy file and can carry out shutDwon (shutdown command) as above at nodeName1 and nodeName2.ShutDown (String, LoginContext) parameter of the String type in is the title of node, as nodeName1, the parameter place of LoginContext type is the login context of login user, is used to preserve user's identity information.
4) utilize definition of AspectJ aspect and AspectJ compiler, the authentication and authorization logic is come out from common management system logical separation, concrete steps are as follows:
A, definition cutting point MyAuthorization, this MyAuthorization is defined as
public?aspect?MyAuthorization
{
// definition cutting point; Node is used to distinguish the user for the title of the node of operation, lc for the context environmental of user's login
pointcut?Authorization(String?node,LoginContextlc)(args(node,lc)&&execution(**(..));
// following the program segment of execution before the method for incision is carried out:
before(String?node,LoginContext?lc):Authorization(node,lc)
{
The name of the method that // acquisition is cut
String methodName
thisJoinPointStaticPart.getSignature().toString();
// login environment, node name and method name according to the user, carry out scope check:
String?methodName=
thisJoinPointStaticPart.getSignature().toString();
Subject.doAsPrivileged(lc.getSubject(),newAuthPrivilegedAction(node,methodName));
}
}
Above code sample, pointcut Authorization place code has been realized the definition of incision method, before (String node, LoginContext lc) locates to have defined and before the method for carrying out incision, carry out the Subject.doAsPrivileged action, whether can carry out this method according to user, node and the checking of method name.
B, this MyAuthorization and relevant general service logic class are utilized the compiling of AspectJ compiler, authentication logic is interweaved in general service logic.
Utilize the crosscut technology of AspectJ, by a and two steps of b, we needn't be as embedding Subject.doAsPrivileged (lc.getSubject () in concrete service logic in the shutDown method, newAuthPrivilegedAction (node, methodName)) such authorization code, can indicate the title of the method that we will cut by definition aspect MyAuthorization, utilize authorization logic the AspectJ compiler to be injected into and to carry out in the method for authorization logic.
Precondition is, is injected into the title that will comprise the node of String type in the parameter of method, is used for importing into the node title, checks the authority whether manner of execution on this node is arranged; The parameter of LoginContext type is used for passing to the context environmental that the authorization check function provides user's login.
By technical scheme of the present invention as seen, the present invention utilizes JAAS and AspectJ technology to realize a kind of authentication and authorization method at cluster management system.This method utilizes JAAS to realize the flexible configuration in method rank and node level security of authentication and authorization.Utilize AspectJ to realize general management logic and security logic loose couplings, can be implemented in the convenient authorization check that adds in the general management method, solved the authentication and authorization problem of cluster management system self well.
Claims (6)
1, a kind of method of the cluster management system authentication and authorization based on JAAS and AspectJ program, it is characterized in that cooperatively interacting the logic of authentication and authorization is separated from system program by JAAS program and AspectJ program, and utilize the configuration file configure user authentication and authorization information of JAAS program, and utilize the AspectJ compiler that the generic logic weave in of authorization logic and cluster management system is carried out authentication and authorization to the user, this method may further comprise the steps:
A, JAAS program are that each node in the Network of Workstation is provided with different identifiers respectively, are that accessed system resource is distinguished by unit with node in the Network of Workstation then;
B, JAAS program are that cluster management system setting user is by name unique by the entity of distinguishing authentication with the user, by the software that calls cluster management system the user are carried out distinguishing authentication;
C, the user authentication information that utilizes the JAAS program and authorization message configurability are separated user's authentication and authorization logic variation from the logic of general management system;
D, utilize the technique of compiling of AspectJ program that authorization check is injected in the general operational approach, utilize node sign, user ID and incision method name information to finish execution scope check incision method.
2, authentication and authorization method as claimed in claim 1, it is characterized in that it is that the resource units sign is distinguished resource that the JAAS program is also utilized the node group of forming with some nodes in the Network of Workstation.
3, authentication and authorization method as claimed in claim 1, it is characterized in that utilizing the configuration file configure user of JAAS program the user to be carried out authentication and authorization in the different management function of different node execution, such as: means such as interpolation/deletion user, start/shutdown, network configuration are carried out authentication and authorization to the user.
4, authentication and authorization method as claimed in claim 1, it is characterized in that: context, node title, method name that the JAAS program utilizes the user to login, inspection different user are carried out the authority of different operating the user are carried out authentication and authorization on different node.
5, authentication and authorization method as claimed in claim 1, it is characterized in that utilizing the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the general-purpose system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic.
6, authentication and authorization method as claimed in claim 1, it is characterized in that the AspectJ program utilizes the programming technique of Aspect Oriented Programming, separate concrete general-purpose system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, removed the coupling of each concrete system management function and Certificate Authority.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510044822 CN1744599B (en) | 2005-09-27 | 2005-09-27 | JAAS and AspeclJ based group management system authentication and authority method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510044822 CN1744599B (en) | 2005-09-27 | 2005-09-27 | JAAS and AspeclJ based group management system authentication and authority method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1744599A true CN1744599A (en) | 2006-03-08 |
| CN1744599B CN1744599B (en) | 2010-04-28 |
Family
ID=36139793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510044822 Expired - Fee Related CN1744599B (en) | 2005-09-27 | 2005-09-27 | JAAS and AspeclJ based group management system authentication and authority method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1744599B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100409626C (en) * | 2006-10-09 | 2008-08-06 | 西安交通大学 | Warning method in large size cluster management monitor system based on AOP technology |
| CN103841117A (en) * | 2014-03-21 | 2014-06-04 | 北京京东尚科信息技术有限公司 | JAAS login method and server based on Cookie mechanism |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7089584B1 (en) * | 2000-05-24 | 2006-08-08 | Sun Microsystems, Inc. | Security architecture for integration of enterprise information system with J2EE platform |
| CN1189822C (en) * | 2001-11-07 | 2005-02-16 | 华为技术有限公司 | Abnormal logic business simulating test device |
| US7610618B2 (en) * | 2003-02-24 | 2009-10-27 | Bea Systems, Inc. | System and method for authenticating a subject |
| US7313820B2 (en) * | 2003-12-29 | 2007-12-25 | International Business Machines Corporation | Method and system for providing an authorization framework for applications |
-
2005
- 2005-09-27 CN CN 200510044822 patent/CN1744599B/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100409626C (en) * | 2006-10-09 | 2008-08-06 | 西安交通大学 | Warning method in large size cluster management monitor system based on AOP technology |
| CN103841117A (en) * | 2014-03-21 | 2014-06-04 | 北京京东尚科信息技术有限公司 | JAAS login method and server based on Cookie mechanism |
| CN103841117B (en) * | 2014-03-21 | 2017-06-06 | 北京京东尚科信息技术有限公司 | A kind of JAAS login methods and server based on Cookie mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1744599B (en) | 2010-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7823186B2 (en) | System and method for applying security policies on multiple assembly caches | |
| US10104053B2 (en) | System and method for providing annotated service blueprints in an intelligent workload management system | |
| CN1320483C (en) | System and method for implementing journaling in a multi-node environment | |
| JP5356221B2 (en) | Convert role-based access control policies to resource authorization policies | |
| US7908610B2 (en) | Multi-threaded business programming library | |
| US20100220584A1 (en) | Systems and methods for automatically generating system restoration order for network recovery | |
| US20100223608A1 (en) | Systems and methods for generating reverse installation file for network restoration | |
| US20070005956A1 (en) | Remote certificate management | |
| CN113114498A (en) | Architecture system of trusted block chain service platform and construction method thereof | |
| CN101739282B (en) | Method, device and system for managing virtual machine | |
| CN100351828C (en) | File access method based on a distributed file storage system | |
| CN1851724A (en) | Business data operation coutrol method and business system | |
| CN103997502A (en) | Safety enhanced model designing method based on cloud computing data center | |
| CN1633085A (en) | An access control method based on non-grade inter-role mapping | |
| CN1744599A (en) | JAAS and AspeclJ based group management system authentication and authority method | |
| CN1157660C (en) | Multiple-user safety operation document system and method | |
| CN1946035A (en) | Method for managing net element data configuration and net element | |
| CN1204712C (en) | Method for implementing cross-domain file sharing | |
| CN1581144A (en) | Digital certificate local identification method and system | |
| CN1235151C (en) | Method of control system safety management | |
| CN1787456A (en) | Method for controlling five layer resource access based on extending role | |
| KR102034883B1 (en) | A security orchestration system | |
| CN1519712A (en) | Method for running threaded/process in-local/remote based on task/leading routines and ageney components | |
| CN111199056A (en) | Grading authentication method based on intelligent contract in block chain | |
| CN1275148C (en) | Non-functional characteristic assembling method in member software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100428 Termination date: 20160927 |