Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/32728
|
Title: | 應用剖面導向技術研製網路應用程式之可設定式細緻化存取控管 |
Authors: | 林經緯 Lin,Ching Wei |
Contributors: | 陳恭 Chen,Kung 林經緯 Lin,Ching Wei |
Keywords: | 網路應用程式 宣告式存取控管機制 以角色為基礎之存取控管 資料層次存取控管 剖面導向程式設計 web applications data-level access control Role-based access control MVC Aspect-oriented programming |
Date: | 2004 |
Issue Date: | 2009-09-17 14:08:54 (UTC+8) |
Abstract: | 存取控管(Access Control)是網路應用程式(Web Applications)安全防護中的核心課題。貫徹存取控管的程式碼往往必須嵌入到應用系統的各個模組中,具有橫跨(cross-cutting)的特性,卻也因此常常造成系統中反覆出現類似的程式碼以及不同需求的程式碼夾雜不清的現象。所以學界業界紛紛提出了許多可設定式(configurable)的存取控管機制來解決此一問題。但這些機制都著重在一般功能性(function-level)的存取控管,對於較細緻化(fine-grained)的資料存取(data-level)控管,並未提供設定式的控管方式,還是得透過程式化(programmatic)的方式處理,所以仍然有程式橫跨性的問題。 最近興起的剖面導向程式設計(Aspect-Oriented Programming)基於關注分離的原則(Separation of Concerns),針對像安全橫跨性的需求,倡議在原有的物件或函式模組外,另以剖面作為這些橫跨性需求的模組單位,既可集中開發又可依規則將安全程式碼整合至系統的各個模組。因此本研究將以AOP技術來設計與製作一套可設定式的細緻化存取控管服務與工具。 Security is attracting more and more concerns in the development of Web applications. However, it is not easy to derive a robust security implementation for Web applications. The principle difficulty in designing security such as access control into an application system is that it is a concern that permeates through all the different modules of a system. As a result, security concerns in an application are often implemented with scattered and tangled code, which is not only error-prone but also makes it difficult to verify its correctness and perform the needed maintenance. Aspect-Oriented Programming (AOP) is a relative new design method that allows a programmer to isolate some of the code that crosscuts his program modules into a separate module, and thus realizes the concept of Separation of Concerns. AOP offers significant advantages to programming over traditional OO techniques in implementing crosscutting concerns such as access control. In this thesis, we define an XML schema for specifying fine-grained access control rules for Web applications in a configuration file and devise an aspect-oriented implementation scheme. Specifically, we develop an aspect synthesis tool that generates concrete access control aspects automatically from access control rules. These aspects, after woven into the base application, will enforce proper access control in a highly modular manner. As a result, we get a configurable implementation of access control that is not only adaptive but also effective. |
Reference: | 【1】 Mark. Curphey. 2002. A Guide to Building Secure Web Applications. The Open Web Applications Security Project Version 1.1. 【2】Open Web Applications Security Project: The Top Ten Most Critical Web Applications Security Vulnerabilities. http://www.owasp.org/documentation/topten 【3】Ross J. Anderson. 2001. Security Engineering: A Guide to Build Dependable Distributed Systems. 【4】S Probst, J Kueng, The Need for Declarative Security Mechanisms, IEEE. September, 2004. Proceedings of the 30th EUROMICRO Conference (EUROMICRO’04) , August 31 【5】 JBoss Group, LLC2520 Sharondale Dr.Atlanta. GA 30305 USAsales@jbossgroup.com. JBoss Administration and DevelopmentSecond Edition. 237-283. 【6】 Harold Ossher and Peri Tarr. October 2001. Using multidimensional separation of concerns to (re)shape evolving software. Communications of the ACM vol. 44.10: 43-50 【7】 C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers.1999. User Authentication And Authorization In The Java Platform. Proceedings of Annual Computer Security Applications Conference, Phoenix, Arizona, USA. 285-290. 【8】 G. Kiczales, J. Lamping, A. Menhdhekar, C. Maeda, C. Lopes, J.-M. Loingtier, and J. Irwin. 1997. Aspect-oriented programming, in ECOOP `97 Object-Oriented Programming 11th European Conference, Finland (M. Aksit and S. Matsuoka, eds.), vol. 1241. 220-242. 【9】 Mohamed Fayad and Douglas Schmidt. October 1997. Object-Oriented Application Frameworks. Communications of the ACM, Vol. 40. 10 : 32-38. 【10】 B. Vanhaute, B. De Win, and B. De Decker. July 2001. Building frameworks in AspectJ. Report CW 318, Department of Computer Science, K.U.Leuven, Leuven, Belgium. 【11】 Carlos A. Fonseca. April 2002. Extending JAAS for Class Instance-Level Authorization. IBM developerWorks, http://www-106.ibm.com/developerworks/java/library/j-jaas/. 【12】 R. Goodwin, S.F. Goh, and F.Y. Wu. 2002. “Instance-level access control for business-to-business electronic commerce,” IBM System Journal, vol. 41. no2. 【13】 Sun Microsystems, Inc., Java Authentication and Authorization Services, http://developer.java.sun.com/developer/technicalArticles/Security/jaasv2/ . 【14】 K. Chen and C.M. Huang. April.2005. A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applicationss. First Information Security Practice and Experience Conference (ISPEC 05). LNCS 3439.156-167. 【15】 The Struts Framework. a sub-project of Apache project. http://jakarta.apache.org/struts/ 【16】 S. Hanenberg and A. Schmidmeier. March 17, 2003. Idioms for Building Software Frameworks in AspectJ. The 2nd AOSD Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS), Boston, MA. 【17】 T. Verhanneman, L. Jaco, B. De Win, F. Piessens, and W. Joosen. November 2003. Adaptable Access Control Policies for Medical Information Systems, Distributed Applications and Interoperable Systems. 4th IFIP WG 6.1 International Conference, DAIS 2003, Paris, France, 2003, Proceedings (Stefani, J.-B. and Demeure, I. and Hagimont, D., eds.), vol 2893. 133-140. 【18】 Sun Microsystems, Inc., Java Authentication and Authorization Services. http://developer.java.sun.com/developer/technicalArticles/Security/jaasv2/ 【19】 JPetStore, http://www.ibatis.com/jpetstore/jpetstore.html . 【20】 James B. D. Joshi, Walid G. Aref, Arif Ghafoor, Eugene H. Spafford. 2001. Security Models for Web-based Applications. Communications of the ACM, vol. 44. 2 : 38-44. 【21】 R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. February 1996. Role-Based Access Control Models. IEEE Computer vol.29. 2: 38–47. 【22】 R. Goodwin, S.F. Goh, and F.Y. Wu. 2002. “Instance-level access control for business-to-business electronic commerce,” IBM System Journal, vol. 41. no. 2, 【23】 R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, Role-Based Access Control Models. IEEE Computer 29, No. 2, 38–47 (February 1996). 【24】 JBoss Group LLC2520 Sharondale Dr.Atlanta. JBoss Administration and DevelopmentSecond Edition .237-283. 【25】 Filter code with Servlet 2.3 model. http://www.javaworld.com/javaworld/jw-06-2001/jw-0622-filters.html . 【26】 K. Beznosov, and Y. Deng. 2002. “Engineering Application-level Access Control in Distributed Systems,” in Handbook of Software Engineering and Knowledge Engineering. vol. 1. 【27】 J. L. Abad-Peiro, H. Debar, T. Schweinberger, and P. Trommler.1999. PLAS - Policy Language for Authorizations. IBM Research Report RZ3126. 【28】 Damianou, N., N. Dulay, E. Lupu, and M. Sloman. Ponder: A Language for Specifying Security and Management Policies for Distributed Systems. The Language Specification - Version 2.2. Research Report DoC 2000/1, Imperial College of Science Technology and Medicine, Department of Computing. 【29】 E. Gamma, R. Helm, R. Johnson, J. Vlissides: Design Patterns. A.W. L. 1995. ISBN 0-201-63361-2. 【30】 Scott Fordin.2004.Java Architecture for XML Binding http://java.sun.com/xml/jaxb/about.html. |
Description: | 碩士 國立政治大學 資訊科學學系 92753032 93 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0927530321 |
Data Type: | thesis |
Appears in Collections: | [資訊科學系] 學位論文
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|