Web服务访问控制策略研究.docVIP

Web服务访问控制策略研究 　　摘要：Web服务环境中，交互实体通常位于不同安全域，具有不可预见性。Web服务应该基于其他与领域无关的信息而非身份来实施访问控制，以实现对跨域未知用户的访问授权。为此，提出了适应于Web服务的基于上下文的访问控制策略模型。模型的核心思想是将各种与访问控制有关的信息统一抽象表示为一个上下文概念，以上下文为中心来制定和执行访问控制策略，上下文担当了类似基于角色的访问控制（RBAC）中角色的概念。基于描述逻辑语言（DL），定义了基于上下文的访问控制策略公理，建立了访问控制策略知识库，提出了访问控制策略的逻辑推理方法。最后基于Racer推理系统，通过实验验证了方法的可行性和有效性。 　　关键词： 　　Web服务；访问控制；上下文；策略；推理规则 　　中图分类号： TP393.08 　　文献标志码：A 　　Research on access control policy for Web service 　　HE Zhengqiu1*， ZHANG Yelin2， XU Junkui1， SUN Danhui1 　　1.Luoyang Electronic Equipment Test Center of China， Luoyang Henan 471003， China 　　； 　　2.Unit 96275 of PLA， Luoyang Henan 471003， China 　　Abstract： In Web service environment， the interacting entities usually cannot be predetermined and may be in different security domains. To address the access authorization for unknown users across domain borders， access control of Web service should be implemented based on domainindependent access control information but not the identities. A contextbased access control policy model which can be appropriate for Web service environment was proposed. The main idea of the model was that， various access control information was abstracted and represented as a concept of context which was adopted as the center to define and perform access control policies. The context concept here acted as an intermediary between requesters and the access permissions， which was similar to the role of RoleBased Access Control （RBAC） in a way. Contextbased access control policy axioms were defined based on Description Logic （DL）， on the basis of these axioms， the access control policy knowledge base with the capacity of reasoning about the access control policies was put forward. Finally， the effect of access control policy enforcement was verified in Racer reasoning system， and the experiment result proved the feasibility and validity of the presented method. 　　Key words： 　　Web service； access control； context； policy； inference rule 　　0引言 　　Web服务作为一种分布式计算模型，为基于Web的数据