面向Web服务的交互访问控制

166Web200072)WebWebSAMLWebWebWebWebWebServicesOrientedInteractiveAccessControlCHENYing-yong,XINMing-jun,WUShao-chun(SchoolofComputerEngineeringandScience,ShanghaiUniversity,Shanghai200072)AbstractAimingatthedeficiencyoftraditionaleXtensibleAccessControlMarkupLanguage(XACML),thispaperproposesthestructureofWebservicesorientedinteractiveaccesscontrolprotocolanditsimplementation,inordertoensurethesecurityofinformationtransmission,thispaperpresentsaframeworkofSAMLbasedcertificationauthoritytodesignthematchingmechanism.IttakestheprocessofauthorizationforWebservicesaccessasanexample,analyzingtheprocessofinteractiveWebserviceaccesscontrolprotocol,andprovesresultthatitcanprovidebettersupporttothesafetyofaccesscontrolforcollaborativeapplicationssuchascollaborativebusinessenvironmentandmobilebusinessenvironmentplatform.KeywordsWebservices;eXtensibleAccessControlMarkupLanguage(XACML);interactiveaccesscontrol;protocolComputerEngineering3514Vol.35No.1420097July2009··10003428(2009)14016602ATP3091WebRPCDCOMRMICORBAWeb[1](ExtensibleAccessControlMarkupLanguage,XACML)[2]Web2Web2.1XACMLWebWeb[3]AR(1)R(2)AuthorityCBRD(C)2.2WebXACML1(1)(PolicyEnforcementPoint,PEP)PEP(PolicyInformationPoint,PIP)XACML(PolicyDecisionPoint,PDP)(J50103)(1983)2009-01-12E-mailyingyong_chen@shu.edu.cn167PDPPEP1Web(2)XACMLWebXACMLPEP(3)(4)(5)3PAPPDP2.3WebXACMLOASIS[4]SAMLWebSAML22SAML2PEPSAMLPDPXACMLXSL(eXtensibleStylesheetLanguageTransformation)SAMLXACMLXSLTXML3Web3.1(user)(provider)(requester)(subject)2.1BA(1)R30minA(2)(1)AuthorityCARAB(1)BA3.2(1)WebXACML1XACMLWeb{Attr(s),Attr(e),Attr(r),Action,P}Attr(s)Attr(e)Attr(r)ActionPcheckifPandf(Attr(s),Attr(e),Attr(r))|ÆAction//ifsucceedthengrantaccesselsedenyaccess.XACMLWebWeb(2)Web2XACMLWeb{Attr(s),Attr(e),Attr(r),Action,Ps,Pu}PsPucheckifPsandPumatchifscceedthen-checkifAttr(s)claimedinPuisauthenticated-checkifPsandf(Attr(s),Attr(e),Attr(r))|-ActionifallsucceedthengrantaccesselseifAttr(s)claimedinPuisnotauthenticatedthendenyaccesselsecomputeAttr(s’)thatisdisclosabledescribedintheconsumer’spolicyif-Psandf(Attr(s)+Attr(s’),Attr(e),Attr(r))|-Action-Psandf(Attr(s)+Attr(s’),Attr(e),Attr(r))remainconsistencyifAttr(s’)existsthenaskclientforAttr(s’)anditerateelsedenyaccessXACMLWebWeb(3)Web2.1Web(170)