CN110413372A - A kind of web services middleware extended method for supporting service security to mark - Google Patents

A kind of web services middleware extended method for supporting service security to mark Download PDF

Info

Publication number
CN110413372A
CN110413372A CN201910536187.XA CN201910536187A CN110413372A CN 110413372 A CN110413372 A CN 110413372A CN 201910536187 A CN201910536187 A CN 201910536187A CN 110413372 A CN110413372 A CN 110413372A
Authority
CN
China
Prior art keywords
service
service security
internet resources
label
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910536187.XA
Other languages
Chinese (zh)
Inventor
于海波
刘杰
赵雨虹
刘坤颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910536187.XA priority Critical patent/CN110413372A/en
Publication of CN110413372A publication Critical patent/CN110413372A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of web services middleware extended methods for supporting service security to mark.The method include the steps that 1) configure the service security label of web services middleware, the service security attribute of Web service middleware is marked;The service security label of Web service middleware includes security level and class of service;2) when web services middleware receives the network resource request of user, the service security label of the user and the service security label of the requested Internet resources of the user are identified;3) the service security label of the service security label of the user and requested Internet resources is checked, passes through if checked, allows to execute the network resource request and return to corresponding Internet resources;Otherwise, refusal executes the network resource request.4) service security label is added for response message.The present invention can efficiently carry out fine granularity control and audit to user access activity.

Description

A kind of web services middleware extended method for supporting service security to mark
Technical field
The present invention relates to a kind of web services middleware for supporting service security to mark, web services middleware offer is directed to Configuration, generation and the identification function of service security label, are supported the access control and audit marked based on service security, belong to net Network space safety field.
Background technique
Currently, mainly implementing resource access control according to user identity and network resource information when user accesses Web service System, traditional Web service middleware do not support according to the service security attribute of user or Internet resources to related access behavior into The control of row fine granularity, need to realize the functions such as fine-granularity access control in the application, and manage user's in the application Security attribute increases the development cost of each application, also reduces the flexibility for implementing access control.
Summary of the invention
In the network system marked using service security, do not support for traditional Web service middleware based on business Security attribute carries out the problems such as Internet resources fine granularity control, and it is an object of the invention to propose a kind of support service security label Web service middleware extended method, support middleware configure its own service security label;Support the business of identification user The service security label of safety label and request resource, so that it is guaranteed that user only can be corresponding according to its service security attribute access Internet resources;It supports to add corresponding service security mark labeled as application layer protocol message according to the service security of request resource Note, supports relevant other systems according to the service security property of the message correct understanding resource.
To achieve the above object, the invention proposes a kind of Web service middleware extension sides for supporting service security to mark Method, method includes the following steps:
Step 1: the service security label of configuration Web service middleware.Configure the service security mark of web services middleware Note marks the service security attributes such as security level, the class of service of Web service middleware.Service security label can be by administrator Member is configured, and is automatically configured after the service security attribute information of environment can also be calculated as where configuration module in acquisition.
Step 2: the service security of identification user and Internet resources label.When user requests Internet resources, in identification request The service security of user marks, which identifies the service security attribute such as the security level of user, class of service;It identifies simultaneously The service security of the requested Internet resources of user marks, which identifies the security level of Internet resources, class of service etc. Service security attribute.
Step 3: being managed based on service security label.To customer service safety label and Internet resources service security mark It remembers row into check, pass through if checked, allow to execute user and request and return to Internet resources;Otherwise, refusal user asks It asks.
Step 4: adding service security label for response message.When returning to the Internet resources of user's request, pass through label Generation module marks the service security that the service security label of resource is converted to response message Service security label), and this label is added in the extended field of corresponding application layer protocol.
Presupposed information 1: Internet resources (object) are marked with service security, show its security level, class of service, operation The service security attributes such as control.
Presupposed information 2: access user marks with service security, shows security level, the class of service etc. that access user Service security attribute.
Web service middleware internal structure block diagram provided by the present invention is as shown in Figure 1, comprising: Web container module, mark Remember configuration module, user's mark identification module, Internet resources marker recognition module, label generation module, control module.
Wherein, Web container module is asked for receiving user resources request, analysis request content, response user network resource It asks;Marking configuration module to be used for is web services middleware configuration service safety label;User's mark identification module is for identification The service security label of user in web request;Internet resources marker recognition module identifies the service security label of Internet resources;Mark The service security that note generation module is used to be converted to the service security label of the Internet resources of request response message marks, and will This label is added in the extended field of corresponding application layer protocol;Module is managed for the network resource accession behavior to user It is controlled and is audited.
Compared with prior art, the beneficial effects of the present invention are:
The present invention provides a kind of web services middleware for supporting service security to mark, which supports needle To configuration, generation and the identification function of service security label, support is marked efficient to user access activity based on service security It carries out fine granularity control and audit, major advantage includes:
1) label that can configure Web service middleware indicates the Internet resources that the Web service middleware allows to handle The ranges such as security level, class of service;
2) by the service security label of identification access user and Internet resources, fine granularity pipe is carried out to user access activity Control or audit;
3) the service security label of Internet resources is added in response message, can indicates relevant other systems efficiently Message directly understands the service security property of the resource according to response, without carrying out resource data reduction.
Detailed description of the invention
Fig. 1 is the architecture diagram of Web service middleware;
Fig. 2 is Web service middleware service security marker recognition flow chart;
Fig. 3 is that Web service middleware manages flow chart;
Fig. 4 is that Web service middleware service security marks product process figure.
Specific embodiment
The embodiment of the present invention is illustrated below in conjunction with attached drawing, it should be understood that embodiment described herein is only used In the description and interpretation present invention, it is not intended to limit the present invention.
Service security tag definitions:
Service security marks M for a multi-component system comprising multiple business security attribute, M=<C, G, and F>.Wherein C is peace Full rank;G is multiple service security attribute GiSet, G={ g1,g2,…gn, giIt can be class of service, working group, angle The service security attribute such as color, environmental requirement;F is operation controlled attribute fjSet, F={ f1,f2,…fm, fjIt can be read-write The operation generic attributes such as control, print control, imprinting control, copy control.
The service security of Internet resources (object) is denoted as M (r)=< Cr, Gr, Fr>, system object, user etc. (main body) Service security be denoted as M (s)=< Cs, Gs>.Relationship between body mark M (s) and Internet resources label M (r) has two Kind: dominance relation with it is not comparable.It marks M (s) to dominate label M (r), works as Cs≥CrAndIt is denoted as M (s) >=M (r), is indicated Main body may have access to object.If dominance relation is not present between M (s) and M (r), not comparable between them, main body haves no right to access Object.IfThen any main body should be according to the concrete operations controlled attribute f that the label includesjLimitation carries out phase to resource It should operate.
Presupposed information 1: there is Internet resources (object) service security to be denoted as M (r)=< Cr, Gr, Fr>, show its tool The service security attributes such as some security levels, class of service, operation control.
Presupposed information 2: service security label M (u)=< C of user is accessedu, Gu>, show access user security level, The service security attribute such as class of service.
Present example is divided into 4 steps, is label configuration respectively, marker recognition, label generates and control.
Step 1: the service security of configuration Web service middleware (main body) is denoted as M (o)=< Co, Go>, show centre The service security attribute such as security level, class of service of part.Mark configuration module called when Web container initializes, to protect Demonstrate,prove Web service middleware service security label can by administrative staff's human configuration, or can as where configuration module in acquisition ring It is automatically configured after the service security attribute information in border.Specific steps include:
After the initialization of S101:Web service middleware, load Web container module, label configuration module, user's mark identification Module, Internet resources marker recognition module, label generation module, control module;
S102: if administrative staff have been configured local profile, marking configuration module to read local profile, Service security attribute information is therefrom parsed, and configures service security label M (o) of affiliated web services middleware with this.
S103: it if administrative staff do not configure local profile, is calculated where marking configuration module to obtain automatically The service security attribute information of environment, and M (o) is marked with this service security for configuring affiliated web services middleware.
Step 2: identification service security label.Marker recognition is known by access user's mark identification module and Internet resources label Other module composition.Service security label M (u) of identification access user and the service security of Internet resources mark M (r) respectively, Specific method is as shown in Fig. 2, specific steps include:
S201:Web service is opened.
After S202:Web container module receives Web request, user's mark identification module is called, obtains the industry of access user It is engaged in safety label M (u)
After S203:Web container reception to Web request, Internet resources marker recognition module is called, the industry of Internet resources is obtained It is engaged in safety label M (r).
S204: label M (u) and M (r) are sent to service security label control module.
Step 3: being managed based on service security label.The major function of control is to the business for accessing user in request The service security of safety label M (u) and Internet resources label M (r) is checked.If M (u) >=M (r), check logical It crosses, returns to Internet resources;Otherwise, refuse the request.Its specific method is as shown in figure 3, specific steps include:
S301: control module receives the service security that service security label M (u) and Internet resources of user are accessed in request It marks M (r);
S302: M (u) and M (r) are checked;
S303: if M (o) >=M (r) and M (u) >=M (r), check and pass through, user is allowed to access;Otherwise, refusal is visited Ask request;
S304: control module record log.
Step 4: generating response message service security label.Mark generation module by the service security of the Internet resources of request Label M (r) note is converted to the service security label of response message, and this label is added to the extension of corresponding application layer protocol In field.Its specific method is as shown in figure 4, specific steps include:
S401:Web container invocation flags generation module;
S402: label generation module obtains service security label M (r) of requested Internet resources;
S403: M (r) service security for being converted to response message is marked, and is added to the extended field of application layer protocol In;
S404:Web service middleware returns to this response message to user.
Although disclosing particular content of the invention for the purpose of illustration, implementing algorithm and attached drawing, its object is to help Understand the contents of the present invention and implements accordingly, but it will be appreciated by those skilled in the art that: it is of the invention and appended not departing from Spirit and scope of the claims in, various substitutions, changes and modifications are all possible.The present invention should not be limited to this explanation Book most preferred embodiment and attached drawing disclosure of that, the scope of protection of present invention are with the range that claims define It is quasi-.

Claims (8)

1. a kind of web services middleware extended method for supporting service security to mark, step include:
1) the service security label for configuring web services middleware, marks the service security attribute of Web service middleware;Web service The service security label of middleware includes security level and class of service;
2) when web services middleware receives the network resource request of user, the service security label and the use of the user are identified The service security of the requested Internet resources in family marks;The service security label of user includes the security level and service class of user Not, the service security label of Internet resources includes the security level and class of service of Internet resources;
3) the service security label of the service security label of the user and requested Internet resources is checked, if Inspection passes through, then allows to execute the network resource request and return to corresponding Internet resources;Otherwise, refusal executes the Internet resources Request.
2. the method as described in claim 1, which is characterized in that in step 3), when returning to Internet resources, the network of return is provided The service security label in source is converted to the service security label of response message, and is added to the expansion of corresponding application layer protocol It opens up in field.
3. method according to claim 1 or 2, which is characterized in that the service security label of Internet resources further includes operation control Information processed.
4. the method as described in claim 1, which is characterized in that the service security of web services middleware is marked by administrative staff It is configured, or after the service security attribute information of calculating environment where configuration module acquisition web services middleware automatically Configuration.
5. a kind of Web service middleware for supporting service security to mark, which is characterized in that including Web container module, label configuration Module, user's mark identification module, Internet resources marker recognition module, label generation module, control module;Wherein,
Configuration module is marked, the service security for configuring web services middleware marks;The service security of Web service middleware Label includes security level and class of service;
User's mark identification module, the service security of user marks for identification;The service security label of user includes user's Security level and class of service;
Internet resources marker recognition module, the service security of Internet resources marks for identification;The service security mark of Internet resources Note includes the security level and class of service of Internet resources;
Web container module parses network resource request content, responds the net of user for receiving the network resource request of user Network resource request;
Generation module is marked, the service security mark of response message is converted to for the service security label by the Internet resources of request Note, and be added in the extended field of corresponding application layer protocol;
Module is managed, the service security label for service security label and requested Internet resources to user matches It checks, passes through if checked, allow to execute the network resource request and return to corresponding Internet resources;Otherwise, refusal executes The network resource request.
6. Web service middleware as claimed in claim 5, which is characterized in that when returning to Internet resources, the network of return is provided The service security label in source is converted to the service security label of response message, and is added to the expansion of corresponding application layer protocol It opens up in field.
7. Web service middleware as claimed in claim 5, which is characterized in that the service security of Internet resources, which marks, further includes Control information operation.
8. Web service middleware as claimed in claim 5, which is characterized in that configuration module obtains where web services middleware The service security label of web services middleware is automatically configured after the service security attribute information of calculating environment.
CN201910536187.XA 2019-06-20 2019-06-20 A kind of web services middleware extended method for supporting service security to mark Pending CN110413372A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910536187.XA CN110413372A (en) 2019-06-20 2019-06-20 A kind of web services middleware extended method for supporting service security to mark

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910536187.XA CN110413372A (en) 2019-06-20 2019-06-20 A kind of web services middleware extended method for supporting service security to mark

Publications (1)

Publication Number Publication Date
CN110413372A true CN110413372A (en) 2019-11-05

Family

ID=68359405

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910536187.XA Pending CN110413372A (en) 2019-06-20 2019-06-20 A kind of web services middleware extended method for supporting service security to mark

Country Status (1)

Country Link
CN (1) CN110413372A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114789A1 (en) * 2003-11-24 2005-05-26 Hung-Yang Chang Method and system for collaborative web browsing
CN102355657A (en) * 2011-06-28 2012-02-15 成都市华为赛门铁克科技有限公司 Service access control method, device and system
CN102413198A (en) * 2011-09-30 2012-04-11 山东中创软件工程股份有限公司 Security-marker-based access control method and related system
CN102495989A (en) * 2011-12-21 2012-06-13 北京诺思恒信科技有限公司 Subject-label-based access control method and system
CN103248485A (en) * 2013-04-24 2013-08-14 中国南方电网有限责任公司 Security label-based power secondary system access control method and system
CN103974248A (en) * 2013-01-24 2014-08-06 ***通信集团公司 Terminal security protection method, device and system in ability open system
US20140281501A1 (en) * 2013-03-13 2014-09-18 Samsung Electronics Co., Ltd. Application access control method and electronic apparatus implementing the same
CN105991626A (en) * 2015-03-06 2016-10-05 小米科技有限责任公司 Network access method and network access device
CN108183915A (en) * 2018-01-15 2018-06-19 中国科学院信息工程研究所 It is a kind of to realize frame towards the safety label of high safety grade business and application demand
CN108520177A (en) * 2018-04-11 2018-09-11 厦门美图移动科技有限公司 Application software management method and device, mobile terminal and readable storage medium
CN109656884A (en) * 2018-12-14 2019-04-19 郑州云海信息技术有限公司 A kind of method and device accessing file

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050114789A1 (en) * 2003-11-24 2005-05-26 Hung-Yang Chang Method and system for collaborative web browsing
CN102355657A (en) * 2011-06-28 2012-02-15 成都市华为赛门铁克科技有限公司 Service access control method, device and system
CN102413198A (en) * 2011-09-30 2012-04-11 山东中创软件工程股份有限公司 Security-marker-based access control method and related system
CN102495989A (en) * 2011-12-21 2012-06-13 北京诺思恒信科技有限公司 Subject-label-based access control method and system
CN103974248A (en) * 2013-01-24 2014-08-06 ***通信集团公司 Terminal security protection method, device and system in ability open system
US20140281501A1 (en) * 2013-03-13 2014-09-18 Samsung Electronics Co., Ltd. Application access control method and electronic apparatus implementing the same
CN103248485A (en) * 2013-04-24 2013-08-14 中国南方电网有限责任公司 Security label-based power secondary system access control method and system
CN105991626A (en) * 2015-03-06 2016-10-05 小米科技有限责任公司 Network access method and network access device
CN108183915A (en) * 2018-01-15 2018-06-19 中国科学院信息工程研究所 It is a kind of to realize frame towards the safety label of high safety grade business and application demand
CN108520177A (en) * 2018-04-11 2018-09-11 厦门美图移动科技有限公司 Application software management method and device, mobile terminal and readable storage medium
CN109656884A (en) * 2018-12-14 2019-04-19 郑州云海信息技术有限公司 A kind of method and device accessing file

Similar Documents

Publication Publication Date Title
CN104781802B (en) User Defined Resource in resource stack
RU2586866C2 (en) Differentiation of set of features of participant of leased medium and user
US7853614B2 (en) Hierarchical, traceable, and association reputation assessment of email domains
US8375379B2 (en) Importing language extension resources to support application execution
US8316420B2 (en) Access control on dynamically instantiated portal applications
US20110270711A1 (en) Managing application interactions with enterprise systems
US20020129130A1 (en) Web-content providing method and web-content providing system
CN102576354A (en) Extensible framework to support different deployment architectures
CN103377336A (en) Method and system for controlling computer system user rights
CN102460389A (en) Methods and systems for launching applications into existing isolation environments
US20110047206A1 (en) Active Directory Object Management Methods and Systems
US20140067868A1 (en) Schema Mapping Based on Data Views and Database Tables
US20110302265A1 (en) Leader arbitration for provisioning services
CN101257494B (en) Method and system for accessing a resource implemented in a computer network
CN111858611A (en) Data access method and device, computer equipment and storage medium
CN106063204A (en) Domain name server traffic volume estimation
CN105049409A (en) Security access control framework under distributed cloud environment and access method thereof
Bazarhanova et al. Love and hate relationships in a platform ecosystem: a case of Finnish electronic identity management
CN110413372A (en) A kind of web services middleware extended method for supporting service security to mark
Dodani From Objects to Services: A Journey in Search of Component Reuse Nirvana.
US20050172149A1 (en) Method and system for management of information for access control
CN107171959B (en) Dynamic routing method and dynamic routing system based on SOA (service oriented architecture)
CN103065027A (en) Message leaving method and device provided for third-party social network site (SNS) web game
CN105049408A (en) Security access control framework for mutual access between distributed cloud environments and access method thereof
Sabiri et al. A new best approximation result in (S) convex metric spaces

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191105