上海交通大学硕士学位论文基于大规模树状组织结构的RBAC系统的设计与实现姓名:周伟平申请学位级别:硕士专业:电子与通信工程指导教师:陆松年;罗滨20061201IRBACDACMACRBAC,RBACTO-RBACRBACRBACRBACRBACSys-RBACGrp-RBACSys-RBACGrp-RBACSys-RBAC12TO-RBAC3II4TO-RBACDMSTO-RBACUMLJ2EETO-RBACTO-RBACJ2EERBACJ2EEABSTRACTIIITHEDESIGNANDIMPLEMENTATIONOFACCESSCONTROL(RBAC)BASEDONTREE-LIKEORGANIZAIONSTRUCTUREABSTRACTInformationtechnologyisbeingappliedintoallkindsofsocietyareadeeply,forexampleeconomy,governmentandsoon,whenitisdevelopingrapidly.Theinformationsystemisbecominglargerandlargerbecausetheobjectareasareexpanding,andthenumberofsystemuserincreases.AnITsystemisnotlimitedinseveralofficesorinafewbuildingsanymore.SotheaccesscontrolmodeltoITsystemfacesmorechallenges.Inthispaperthreetraditionalaccesscontrolmodels,DAC,MACandRBAC,areintroducedfirstlyandtheiradvantagesandshortagesareexplained.Thenweanalyzethecomplexorganizationstructureandtheaccesscontrolrequirementinarealproject.Basedonmodelingatreelikeorganizationstructure,weextendthetraditionalRBACandproposeanewRBACbasedontreelikeorganizationstructure:TO-RBAC.TotheproblemoftraditionalRBACthatdoesnotmanagethescopesofsubjectsandobjects,TO-RBACmanagesdefinitelythescopesthroughthefunctionsofgroupmanagementandfunctionmanagement.ApplyingthenewRBACconceptintothetreelikeorganizationstructure,anestingRBACappears,whichincludesSys-RBACforsystemlevelandGrp-RBACforgrouplevel.ThesubjectsofSys-RBACareindependentgroups,andtheobjectsareallofthefunctionsregisteredinsystem.Meanwhile,thesubjectsofGrp-RBACaresystemusersofthisindependentgroup,andtheobjectsarethefunctionswhichareauthorizedtothisindependent.ThefirstchapterintroducesthepreviousstudyofRBAC,thebusinessbackgroundandthetechnologybackgroundofproject.ThesecondchapterisABSTRACTIVthecoreofthispaper,themodelofTO-RBACisdevelopedstepbystepinthischapter.Basedonthetheorymodel,thedesignandimplementationofTO-RBACaredescribedinchapter3,sothatwecanvalidatethemodelandmakeittransferfromtheorytopractice.Inchapter4,bytheexplanationforDMSprojectthatadoptedTO-RBACmodel,weanalyzetheadministrationproblemofTO-RBACincludingitsadvantageanditsweaknesstoenhance.Inthelastchapter,wesummarizethewholepaperandforecastthedirectionstostudyinthefuture.UMLisusedtodescribethesystemmodelinthispaper.J2EEisselectedtoimplementaTO-RBACinstanceintherealproject.TO-RBACmodelisprovedtobeconvenientandflexiblethroughtheusageofendusersinpractice.ItcanbeexpectedtobecomeanauthoritysubsystembasedonJ2EEforenterpriseapplication.Keywords:AccessControl,RBAC,TreelikeOrganizationStructure,J2EERBAC200722411•••••1.1DACDiscretionaryAccessControlMACMandatoryAccessControlRBACRole-basedAccessControl1.1.1-DACDACDAC2StructuredQueryLanguageSQLDAC]1[GrantDACOracleDB21.1.2-MAC]1[MAC1-1MACTable1-1MACAccessControl\U-S-G-W/R--A-RW/RG-A-U-S-1-1MACMAC1.1.3-RBAC3RBAC]2[]3[NISTTheNationalInstituteofStandardsandTechnologyRBAC44RBAC0CoreRBACRBAC1HierarchalRBACRBAC2ConstraintRBACRBAC3CombinesRBAC]1[]4[]5[RBAC01-1UAPERMPAsession1-1RBAC0Figure1-1RBAC0ModelRBAC0RBACRBAC,users(USERS)roles(ROLES)objects(OBS)operations(OPS)permissions(PRMS),sessionsRBAC0RBAC1RBAC2RBAC3RBAC0RBAC1RBAC2RBAC2,,--RBAC2RBAC3RBAC1RBAC24]6[]7[]8[1.2200530200DealerManagementSystem1.2.11-2600RSSC1RSSC2RSSC3RSSC12236001-2Figure1-2OrganizationStructureofSVW512RegionalSalesServiceCenterRSSCRSSC/RSSC50806001-3RSSC1.2.21-41-3Figure1-3GeneralOrganizationStructureofDealer61-4DMSFigure1-4OverviewofSVWDMS1-41-571-5DMSFigure1-5SalesFlowinSVWDMS1.2.310000RSSC10000Internet1.3DMSJ2EEStruts81.3.1J2EEJ2EESun,]9[,,,,,EISabcEISINTERNETJ2EEJ2EEWeba.WebAPIWebServiceb.WebWebc.d.ORACLELDAPLightDirectoryAccessProtocol91.3.2Struts]10[StrutsJ2EEStrutsApacheJakartaJavaServerPages(JSPs)ServletStrutsMVCWebServletsJSPStrutsMVCModel-View-ControllerMVCMVC,1-6StrutsMVCServletJSPJ2EEStrutsMVCJ2EEStruts1-7ViewControllerModel1-6StrutsMVCFigure1-6StrutsMVCModel101-7StrutsFigure1-7PrincipleofStruts1-7XMLStruts-config.xmlControllerStrutsMVCControllerServletActionServletActionServletStrutsHTTPActionActionFormFromBean,javabeanEJBJSPStruts-config.xmlJSPStrutsJSPHtmlBeanLogicTemplatejavabeanbeanActionFormActionJavaBeanorEJBActionFormFormBeanClientActionActionBeanActionSevletFormBeanFormBeanJavaBeanEJBStruts*.do*.doActionSevletActionSevletStruts-config.xmlFormBeanFormBeanActionBeanActionBean*.doClientIEorNetscapeControllerActionServletBusinessLogicActionModelJavaBeanorEJBViewJSPHTTPRequestActionFormHTTPResponseStruts-config.xml11FormBeanActionBeanStruts-config.xmlStrutsActionSevletActionSevletStruts-config.xmlStrutsSerlvetjsptaglibstrutswebJSPModel2MVCframeworkStrutswebframworkStrutsStrutsControllerModelViewStrutsEJB,JDBCObjectRelationBridgeStrutsJSP,VelocityTemplates,XSL122TO-RBAC2.1UMLUMLUnifiedModelingLanguage]11[UMLUMLUMLUMLViewUseCaseViewUseModelViewLogicalViewStructuralViewStaticViewConcurrentViewBehavioralModelViewProcessViewCollaborativeViewDynamicViewComponentViewImplementationModelViewDevelopmentViewDeploymentViewPhysicalViewUMLDiagramUML13UMLUse-caseDrivenArchitecture-centricIncrementalIterativeUMLUMLE-R2.2RBACUML1.1.3RBACRBACRBACRBAC1RBAC2RBAC3RBA