Please wait a minute...
J4  2012, Vol. 46 Issue (11): 2035-2043    DOI: 10.3785/j.issn.1008-973X.2012.11.015
计算机技术     
基于RBAC的跨多企业服务组合访问控制模型
张帅1,孙建伶1,徐斌1,黄超1,2,KAVS  Aleksander J2.
1. 浙江大学 计算机科学与技术学院, 浙江 杭州310027; 2. 道富信息科技(浙江)有限公司, 浙江 杭州 310012
RBAC based access control model for services compositions
cross multiple enterprises
ZHANG Shuai1, SUN Jian-ling1, XU Bin1, HUANG Chao1,2, KAVS  Aleksander J2.
1. College of Computer Science and Technology , Zhejiang University , Hangzhou 310027, China;
2. State Street Technology (ZheJiang) Co. Ltd, Hangzhou 310012, China
 全文: PDF  HTML
摘要:

为了解决单域环境下访问控制模型无法满足跨企业服务组合的访问授权需求的问题,提出一种以基于角色访问控制(RBAC)为基础的多域动态访问授权模型.根据组合服务的流程结构分析服务执行所需的权限,提出一个权限最小化的角色集挖掘算法,从原有的面向单域的角色授权关系中搜索满足服务执行的角色集.针对组合服务中的跨域操作进行端对端的域间自主授权协商,并根据挖据出的角色集建立最小成本的跨域角色映射以满足跨域访问授权需求.在此基础上提出一套与现有的工业标准相结合运行时框架,实现根据组合服务实际运行状态进行授权的动态访问控制机制.模拟实验结果验证模型中的该算法的主要部分在多种不同场景下的有效性.

Abstract:

A dynamic multiple domains access control model base on role based access control (RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises. The process structures  were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services. Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations. Based on this model, a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services. Simulation experiments showed the effectiveness of key part of the role mining algorithm.

出版日期: 2012-12-11
:  TP 393  
通讯作者: 孙建伶,男,教授,博导.     E-mail: sunjl@zju.edu.cn
作者简介: 张帅(1984- ),男,博士生,从事服务计算研究. E-mail: zhangshuai@zju.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  

引用本文:

张帅,孙建伶,徐斌,黄超,KAVS Aleksander J.. 基于RBAC的跨多企业服务组合访问控制模型[J]. J4, 2012, 46(11): 2035-2043.

ZHANG Shuai, SUN Jian-ling, XU Bin, HUANG Chao, KAVS Aleksander J.. RBAC based access control model for services compositions
cross multiple enterprises. J4, 2012, 46(11): 2035-2043.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2012.11.015        http://www.zjujournals.com/eng/CN/Y2012/V46/I11/2035

[1] PAPAZOGLOU M. Serviceoriented computing: concepts, characteristics and directions [C]∥ 4th International Conference on Web Information Systems Engineering. Rome, Italy: IEEE, 2003: 3-12.
[2] MILANOVIC N, MALEK M. Current solutions for Web service composition [J]. IEEE Internet Computing, 2004, 8(6): 51-59.
[3] SRIVATSA M, IYENGAR A, MIKALSEN T, et al, An access controlsystem for Web service compositions [C]∥ IEEE International Conference on Web Services . Salt Lake City, USA: IEEE, 2007: 1-8.
[4] 王雅哲,冯登国.域间授权互操作研究综述 [J]. 计算机研究与发展, 2010, 47(10):1673-1689.
WANG Yazhe, FENG Dengguo. A survey of research on interdomain authorization interoperation [J]. Journal of Computer Research and Development, 2010, 47(10):1673-1689.
[5] ZHANG Y , JOSHI J. A requestdriven secure interoperation framework in looselycoupled multidomain environments employing RBAC policies [C]∥ IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. New York, USA: IEEE, 2007: 25-32.
[6] HU Jinwei, Li Ruixuan, LU Zhengding. Establishing RBACbased secure interoperability in decentralized multidomain environments [C]∥ Proceedings of the 10th international conference on Information security and cryptology. Heidelberg, Germany: SpringerVerlag Berlin, 2007 49-63.
[7] ZHANG Shuai, SUN Jianling, SHEN Yuanhong, et al, Optimizing performance of composite services in multiple networks enterprise environment [J]. Information Technology Journal, 2011(10): 807-815.
[8] DUSTDAR S , SCHREINER W, A survey on web services composition [J]. International Journal of Web and Grid Services 2005(1): 1-30.
[9] BEEK M, BUCCHIARONE A, GNESI S: Web service composition approaches: from industrial standards to formal methods [C]∥ Proceedings of the Second International Conference on Internet and Web Applications and Services 2007. Washington DC, USA: IEEE Computer Society, 15-21.
[10] CHAFLE G, CHANDRA S, MANN V, et al, Decentralized orchestration of composite web services [C]∥ Proceedings of the 13th international World Wide Web conference. New York, USA: ACM, 2004: 134-143.
[11] YILDIZ U, GODART C. Towards decentralized service orchestrations [C]∥ Proceedings of the 2007 ACM symposium on Applied computing. New York, USA: ACM, 1662-1666.
[12] SHAFIQ B, JOSHI J, BERTINO E, et al: Secure interoperation in a multi domain environment employing RBAC policies [J]. IEEE Transactions on Knowledge and Data Engineering 2005. 17(11): 1557-1577.
[13] SANDHU R, COYNE E, FEINSTEIN H, et al, Rolebased access control models [J]. IEEE Computer, 1996 29(2): 38-47.
[14] DAMIANI E, VIMERCATI S, PARABOSCHI S. et al. Fine grained access control for SOAP eservices [C]∥ 10th Int. Conference on World Wide Web (WWW). New York, USA: ACM, 2001: 504-513.
[15] WONOHOESODO R ,TARI Z, A role based access control for Web services [C]∥ IEEE International Conference on Services Computing 2004. Shanghai: IEEE, 2004:49-56.
[16] FISCHER J , MAJUMDAR R, A Theory of Role Composition [C]∥ IEEE International Conference on Web Services 2008. Beijing:  IEEE, 320-328.
[17] HUANG Chao, SUN Jianling, WANG Xinyu, et al. Minimal role mining method for Web service composition [J]. Journal of Zhejiang UniversityScience C, 2010(11): 28-339.
[18] DU S , JOSHI J, Supporting authorization query and interdomain role mapping in presence of hybrid role hierarchy [C]∥ Proceedings of the 17th ACM symposium on Access control models and technologies. New York, USA: ACM, 2006: 228-236.
[19] OASIS, Security assertion markup language (SAML) [EB/OL]. [20050325]. http:∥saml.xml.org/aboutsaml.
[20] SALTZER J , SCHROEDER M, The protection of information in computer systems [J]. Proceedings of the IEEE, 1975(63): 1278-1308.
[21] MOSES T. eXtensible access control markup language (XACML) Version 20 [EB/OL]. [2005-02-01].http:∥docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.

[1] 郭童,林峰. 基于混合遗传鱼群算法的贝叶斯网络结构学习[J]. J4, 2014, 48(1): 130-135.
[2] 李德骏,汪港,杨灿军,金波,陈燕虎. 基于NTP和IEEE1588海底观测网时间同步系统[J]. J4, 2014, 48(1): 1-7.
[3] 杜瑞忠, 田俊峰, 张焕国. 基于信任和个性偏好的云服务选择模型[J]. J4, 2013, 47(1): 53-61.
[4] 陈岁生,卢建刚,楼晓春. 基于MDS-MAP和非线性滤波的WSN定位算法[J]. J4, 2012, 46(5): 866-872.
[5] 高庆,李善平,杨朝晖. 基于虚拟场的能量高效传感器网络地理路由[J]. J4, 2012, 46(1): 98-104.
[6] 潘巨龙,李善平,张道远. 无线传感器网络簇内可疑节点的博弈检测方法[J]. J4, 2012, 46(1): 72-78.
[7] 杨朝晖,李善平,林欣. 增量型上下文信息服务的质量优化实时调度[J]. J4, 2012, 46(1): 90-97.
[8] 钱剑锋, 尹建伟, 董金祥. 结构化P2P网络的语义发布/订阅系统
负载均衡算法
[J]. J4, 2011, 45(10): 1710-1719.
[9] 杨朝晖,李善平,林欣. LBS中面向K-匿名服务资源约束的匿名度调节算法[J]. J4, 2011, 45(7): 1154-1160.
[10] 潘纲, 李石坚, 陈云星. ScudContext:信息-物理空间融合的大规模
环境上下文服务
[J]. J4, 2011, 45(6): 991-998.
[11] 车建华, 何钦铭, 陈建海, 王备. 基于软件模拟的虚拟机系统故障插入工具[J]. J4, 2011, 45(4): 614-620.
[12] 李鉴庭,金心宇,唐军,张昱. 基于无线多媒体传感器网络的目标定位方法[J]. J4, 2011, 45(1): 45-49.
[13] 张莉苹,潘纲,郑能干,杨国青,李红,赵民德. SmartC模型与代码一致性双向生成方法及开发平台[J]. J4, 2011, 45(1): 20-29.
[14] 舒挺, 孙守迁,王海宁,徐伟强. ESIS序列自适应生成算法[J]. J4, 2010, 44(11): 2183-2187.
[15] 陈友荣, 俞立, 董齐芬, 洪榛. 基于近邻算法的无线传感器网络功率控制[J]. J4, 2010, 44(7): 1321-1326.