排序方式: 共有119条查询结果,搜索用时 0 毫秒
1.
2.
SOA环境具有分布性.异构性和动态性的特点,传统的访问控制模型已经不能满足其需求.为解决SOA环境下的访问控制问题,提出了一种基于属性的访问控制模型(Attribute-based Access Control,ABAC).模型以实体的属性作为评价的基本单位.通过对主体属性、资源属性以及环境属性的动态评估,结合访问控制策略来对用户的访问进行控制.并采用XACML和SAML两个规范对模型进行了实现.分析了框架中属性和访问控制策略的查询响应方法,以及访问授权的流程.分析结果表明,结合XACML和SAML标准实现的ABAC模型具有较好的安全性和移植性,适用于异构的SOA环境. 相似文献
3.
Rafael Marín-LópezAuthor Vitae Fernando Pereñíguez Author VitaeGabriel López Author Vitae Alejandro Pérez-Méndez Author Vitae 《Computer Standards & Interfaces》2011,33(5):494-504
Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards. 相似文献
4.
P. Mazzoleni B. Crispo S. Sivasubramanian E. Bertino 《The Journal of supercomputing》2009,49(1):108-126
In this paper, we present a novel resource brokering service for grid systems which considers authorization policies of the
grid nodes in the process of selecting the resources to be assigned to a request. We argue such an integration is needed to
avoid scheduling requests onto resources the policies of which do not authorize their execution. Our service, implemented
in Globus as a part of Monitoring and Discovery Service (MDS), is based on the concept of fine-grained access control (FGAC) which enables participating grid nodes to specify fine-grained policies concerning the conditions under which grid
clients can access their resources. Since the process of evaluating authorization policies, in addition to checking the resource
requirements, can be a potential bottleneck for a large scale grid, we also analyze the problem of the efficient evaluation
of FGAC policies. In this context, we present GroupByRule, a novel method for policy organization and compare its performance with other strategies.
相似文献
| E. BertinoEmail: |
5.
EPC IS在物联网中处于核心地位,它担负着对大量EPC数据和PML文件的处理解析任务.在传统的EPCIS的基础上,结合可扩展的访问控制高标识语言(XACML),提出了一种带权限管理的EPC IS设计方案,以解决企业之间互相访问EPC IS所带来的一系列安全问题.首先介绍了传统的EPC IS的架构和作用以及所带来的安全隐患,然后引入了XACML,重点分析如何实现权限管理,最后针对跨企业的供应链管理系统给出一个带权限管理的EPC IS设计方案. 相似文献
6.
基于XACML安全策略的J2EE应用服务器安全授权框架 总被引:1,自引:0,他引:1
安全与授权问题是企业应用的关键问题,而目前J2EE规范中的安全授权服务缺乏足够的安全描述能力.提出支持XACML安全策略的安全授权框架,为J2EE应用服务器的各个组件描述复杂的安全逻辑,并提供灵活的安全授权服务,降低了企业应用开发以及系统维护的成本.该框架在中科院软件所自主研发的J2EE应用服务器OnceAS中得到实现. 相似文献
7.
针对电力信息系统的复杂多域环境,提出了一个访问控制模型(BP-SABAC).该模型将属性访问控制(ABAC)与语义Web技术结合,引入边界策略,扩展了XACML标准框架结构,确保了跨域信息共享的安全,加强了边界防护. 相似文献
8.
针对XACML访问控制模型实体间授权请求与响应的传输问题,提出一种灵活、可扩展的策略执行点PEP与策略决策点PDP通信模型。根据OASIS对SAML规范进行的扩展,该模型中的SAML处理模块将XACML授权请求与响应封装成为SAML授权请求与响应,利用Spring Web Service架构实现模型中的PEP-WS模块和PDP-WS模块,对SAML授权请求与响应进行传输。该模型能够实现XACML授权请求与响应传输的透明性,将实现方式不同的PEP与PDP进行集成,增强了XACML访问控制模型部署的灵活性和可扩展性。 相似文献
9.
针对XACML策略间的语义表示、冲突等问题,提出基于描述逻辑的形式化方法,对XACML策略的目标、规则、规则组合算法和策略冲突消解算法进行形式化处理,并给出基于描述逻辑的规则间冲突检测方案.分析结果表明,该形式化方法便于XACML策略的扩展,并且增强了XACML的语义表达能力和推理能力. 相似文献
10.