Summary: With the development of application service providers (ASP) business models in China, in order to meet the actual needs of the ASP platform integrate a variety of heterogeneous applications, a solution to lightweight application integration using unified security certification technology is proposed. Program. The program service database is unified to store user identity and permissions information, using session token to ensure the persistent effectiveness of user identity, and protect the security of application service resources through policy agency, and uniformly authorize and control the user's access. In order to realize the single sign-on login between the platform and the application system, the implementation of the identity information transfer and verification of the toilet and the agent is proposed, especially the problem of cross-domain single sign-on. The program has been successfully applied to "Shanghai Telecom Ideal Business ASP Platform".
0 Preface
With the strong support of the National 863, my country's corporate informationization process is in full swing, and small and medium-sized enterprises have difficulty significant due to lack of funds and technology. The emergence of ASP (Application Service Provider, Application Service Provider) is undoubtedly brought about by the best business implementation of information development in SMEs. Enterprises take the various information products required from the ASP provider from the ASP provider in a low price, such as ERP, CRM, SCM, PDM, etc., and can enjoy high quality after-sales service and technical support [1].
The generation of ASP mode has brought new opportunities for application system integration, as ASP providers, in order to maximize the needs of enterprise users, often integrated all kinds of application systems in ASP platforms , As at the same time, OA, ERP, CRM, SCM, and the like are integrated. The integrated application software may come from traditional software vendors or may come from other ASP providers. This layered nesting mode, although it provides users with convenient use, but has brought great difficulty to the ASP provider development enterprise platform. In addition, the safety certification system of the entire platform also determines the difficulty of system integration, using unified identity authentication, resource authorization and user management, can replace different certification and authorization methods in each application system, convenient for integrated interface design, development Work is also greatly simplified.
1 ASP platform safety certification problem
ASP mode has just started in China, and many key technologies are still in research and verification stages, and the integrated approach between ASP platforms and application systems is varied. In addition to lightweight interface integration, there are different application systems Data integration, as well as integration of business processes based on the entire platform, although data integration and business integration is very needed in many enterprises, but based on current technical strength, these way integration is far from the requirements of business operations. Therefore, at this stage, the method usually used by the ASP provider is only an integration based on the user interface, by using some of the more mature EP (Enterprise Portal, Enterprise Portal) systems, and plus unified identity authentication and authorization technology. To achieve the integration of the most popular platform and the application. Although the integration of this way is not high, the light is flexible, easy to implement, can adapt to the need for integrated multiple heterogeneous systems [2].
Based on the research on ASP mode and integration technology, we believe that as a more complete ASP platform, it should include enterprise portal, safety certified subsystem, operational support subsystem, which enable five parts of the subsystem and business operation subsystem, such as The gray portion of Figure 1 shows that the safety certification subsystem is composed of three major modules of identity management, identity authentication, and resource authorization. The design implementation of the subsystem is currently the most urgent need to solve the ASP platform. It is also the implementation of this project. The ASP platform is primarily critical modules.
Figure 1 ASP platform infrastructure (gray part)
In traditional information technology application mode, various application systems provide their respective independent user authentication and policy management. Once they are integrated into a unified ASP platform, the situation is extremely complex. If the user's identity and permissions are managed by these application systems, the protection of the implementation and important resources of the authentication system cannot be strictly controlled, and there is many serious security hazards that will have many serious security hazards. Management will become very Cumbersome. In addition, if the user is logged in to the ASP platform after logging in to these different application systems or inter-switching, it is necessary to constantly enter identity information, which will inevitably cause its dissatisfaction with platform performance. Therefore, the ASP platform must provide a mechanism that allows all users to log in in the platform portal. After the identity is confirmed, various application systems can be accessed freely. This random access must also be authorized, that is, before the user has access to the resource access, it must pass the control system check to the ASP platform to ensure that the user has access to the resource. In this way, not only the risk of multi-system entrance can also provide great convenience to the management of the platform. Based on this idea, you can set a special authentication server in the ASP platform, store all the user information of all application systems in the database of the server, and unified user management. Using Single Login (SSO) technology can realize the need for user login, free access; use the LDAP directory server to easily store users, roles, permissions, and policy information.
2 implementation of ASP platform security certification technology
2.1 Application of single sign-on technology
SSO refers to accessing a variety of different resources through an identity authentication [3]. This type of authentication not only increases the security of the system, but also maximizes the work efficiency of corporate employees. The theoretical basis of SSO is the security technology (JAAS) in J2EE. Its implementation is mainly divided into two categories: a class is to use the authentication proxy process (Proxy Process) in the user and each application system interaction process, instead of the user to complete the corresponding application Procedure, such as IBM Tivoli Access Manager; another class is to establish an independent authentication platform that implements access policy control and SSO using policy management software, such as Sun ONE Identity Server. The ASP platform is integrated with a number of applications from different vendors. It may need to span the Internet in the deployment, so in order to ensure the security of data transmission and the minimum transformation of the application system, use a second type in a single sign-on. More appropriate, the principles are as follows.
User Access ASP platform portal, after the authentication of the authentication server, the user can have a cookie with token, and its identity information is included in this token. Since then, when the user accesss the platform other resources, deploying in the application The resource policy agent will confirm its identity according to the token, save the user's troublesome to enter the authentication information.
The application software system of the ASP platform is usually distributed in its respective IDCs, and the user will undoubtedly involve cross-domain access when switching applications in the ASP platform. Once cross-domain, users hold, saved in cookies The card will disappear, and SSO will not be completed. To solve the problem of cross-domain SSO, create a CDC (Cross Domain Controller, Cross-domain controller) on the ASP platform authentication server, establish a CD SSO Servlet on each application server, and guarantees communication between CDC and CD SSO Servlet Implementation of SSO across domains. The specific process is shown in Figure 2:
Figure 2 implementation process of cross-domain single sign-on
1 When the user accesses the domain 2, the request is intercepted by the policy agent. 2 Cross-domain single point login servlet checks whether there is a token in the request, and it is released, and it is not returned to the domain 1. 3 Domain 1 Cross-domain controller checks if there is a token, no user verification, is sent to domain 2. Domain 2 discover the token, that is, allowing users to access their resources. 4 When the user re-accesses the domain 3, the information is still transmitted to the domain 1 cross-domain controller via the cross-domain single point. 5 Domain 1 Send the token to the domain 3, and the domain 3 can allow the user to access its resources. 2.2 Application of Access Control Technology
Access control technology can generally be divided into autonomous access control, enforce access control and role-based access control (RBAC, Role based access control) implementation method [4], the ASP platform adopts RBAC method, its advantage is that users and authority are not directly The association occurs, but through the role to link the user with permissions, from essentially the role is a set of permissions, by assigning the role to the user to access the resource to access control. The ASP platform uses a unified resource authorization mechanism that must be permissible with the platform authentication server before the user has access to the application resource, and the entered is allowed to enter. The specific process is shown below:
Figure 3 Realization Process of Access Control
1 The user logs in to the ASP platform. After authentication, the user issued a request to the application resource; 2 The user's request for the resource is deployed in the application server-side policy agent intercept, the policy agent passes its identity information to the authentication server for its permissions; 3 The authentication server makes judgments by comparing the policies defined for the resource in the LDAP database, or allow access, or refusing access.
In the above process, the so-called application resources mainly include two forms, one is the URL, which can be a static page, the media file, or the application represented by a URL; the other is a J2EE container or an application program. Policy Agent is an authentication system component deployed in the application server, which is used to intercept the user's request, and forward its authentication information to the authentication server. The policy agent component can not only be installed within the company's internal application servers. On, you can also deploy an application server for an external ASP provider and a Web Proxy server to fully guarantee that all the resources in the entire platform system are secure authentication.
For each application resource, you must access control by defining the corresponding policy, a policy usually contains three components of the rules, subjects, and conditions (policy = rules main body condition):
Rules, that is, what kind of operation is made to the resource, such as allowing users to access a URL resource; the main body, that is, the rule is a set of roles or user groups, such as a group of users in the LDAP directory server; That is, the rule is effective under the conditions, such as specifying the time and IP address range that can be accessed.
The ASP platform can achieve uniformity protection of all application resources in uniformity of all application resources in accordance with actual needs in accordance with actual needs in accordance with the actual needs of all application resources.
2.3 Application of LDAP Directory Server
Directory Server acts in a lightweight in the ASP platform security authentication system, which is used to store all users in the system, role information, and policy information. Based on the Lightweight Directory Access Protocol (LDAP) Different Direct Database, its data information is not simply stored in a tailor table, but is based on the tree directory, which can not only clearly reflect a family. The internal organizational structure of the enterprise can also make various data have inheritance; in addition, the stored in the LDAP database is often read, but do not write data, its read speed is faster than the relational database. At least one Quantity, its data mode (Schema) is also easy to expand. Based on the multi-strength advantages of the LDAP database, the characteristics of user identity, role, permission information in the security certification system, using the LDAP directory server to ensure efficient operation of the ASP platform, and the need for integrated flexible expansion [5]. Figure 4 LDAP directory tree design
The ASP platform LDAP database is mainly composed of three "trees", that is, the user information tree, role tree, and permission tree are provided under the ASP root node. User Information Tree can set up enterprise users registered in the ASP platform, each company is a "branch", and the company can also set up departmental branches, and final business employees will correspond to the "leaf" node in the tree. The design of the role tree can allocate roles in accordance with the ASP platform super administrator, enterprise administrator, department administrator, and employee. The design of the permissions tree is organized according to the permission information of the resources at all levels in the access control, and a separate application resource is a branch, which is a tree leaf [6] for the access policy of the resource. [6]. By this kind of data structure, the ASP platform system can easily read the authentication information of its user, the permission information. For newly registered corporate users or newly integrated application resources, they can be extended by his branches, and manage maintenance.
2.4 Reconstruction of unified security certification on existing systems
In order to meet the needs of SME information, application service providers requires the ASP platform to integrate as many application system resources, including general information systems such as office automation (OA), customer relationship management (CRM) system, etc. Many professional application service resources, such as computer-assisted design and manufacturing (CAD / CAM) systems facing the manufacturing industry. Therefore, the ASP platform integration is usually more mature products, some of which may not be adapted to ASP this business model. With unified security certification technology, this issue can be solved, and the transformation of existing systems will be very simple, and there is no impact on its operating performance.
The ASP platform based on unified security certification will make the following renovation of the application in application integration: First, since the user's identity authentication is set in the platform, and the token guarantee platform in single-point login mechanism The user's legitimacy, so the authentication module in the application system will not continue to exist, and it passes the user information passed by default acceptance platform, which can be passed through a variety of ways such as HTTP headers, URLs. Second, the user information in the application system needs to be consistent with the ASP platform LDAP database, so you need to open a form regarding user information in its database, and serve as an authoritative data source in a platform database. Third, only the basic information of the user is stored in the ASP platform, which does not involve its permissions in the application, so the application system needs to set the privileges in the application after accepting the user information received by the platform. Through the simple transformation of the above three points, the application system can achieve lightweight, flexible and easy to extend integration with the ASP platform, and does not involve any content of the application system core business layer, and its operating performance will also be completely managed by the application system itself. Decide, not affected by platform integration.
3 Implementation of the Ideal Business ASP platform safety certification system Based on the basic theory of the above ASP platform security certification system, with the support of the National 863 Fund Project, Shanghai Telecom "Ideal Business" ASP platform has been officially launched, and the ASP platform integrates office. More than 10 applications such as automation, customer relationship management, enterprise mailbox, instant messaging, and thousands of business users have been developed. The Ideal Business ASP platform security certification system uses Sun's authentication server and directory server for unified user identity authentication and resource authorization. Sun authentication servers consist of four modules: access management, identity management, service management, and delegation management. The access management module includes features such as single sign-on, policy management, identity authentication, and log management. The module is the core of its authentication product, and it is also the basis for implementing the single sign-on and access control scheme described above [7] .
During the ideal business ASP platform development, the project team defines the basic structure of the LDAP directory tree in the Sun directory server, and its root is O = Idealbiz.com.cn, the application resource node management of customer relationship management is CN = CRM, OU = Policy, o = idealbiz.com.cn; add data mode (Schema) according to the property characteristics of user information, such as each enterprise user has three basic properties: Enterprise Account (E-Code), User Name (U- CODE) and password (passwd); deploy policy agents in application resources (such as customer relationship management system), pass the platform user information to the application in the policy agent, and block the user in the application system Authentication module; Customized user role and application resource access policies, such as defining customer relationship management user group roles and CRM.IDEALBIZ.COM.CN protection strategies. To ensure the security and stable operation of the ASP platform, the project group uses the structure of the dual authentication server and the two directory server, as shown in Figure 5. A cluster is set between the two authentication servers. When a fault occurs, you can immediately take over all user authentication and authorization work; both directory servers are configured as the main directory server, and the two will be timed. Synchronization of data, if necessary, you can deploy from the directory server, timing backup of the data of the primary directory server in other security environments. In addition, in order to synchronize the user information with the primary directory server (Meta Directory Server) to connect the LDAP server and the Meta Directory Server, in order to synchronize the user information with the main directory server (such as the Oracle Database for Customer Relationship Administration). RDB server and conversion in data formats.
Figure 5 Dual authentication server and two directory server structure diagram
4 Conclusion
The application system integration and security certification system based on ASP mode have many changes in traditional EAI and AAA, and also brought many difficulties to ASP platform design and application integration. Due to the uncertainty and diversity of applications, the platform must be flexible and easy to expand, so identity management in secure authentication, authorization management must have a unified subsystem to control. With Sun's certification server and LDAP directory server, you can easily implement single sign-on, access control and resource authorization in user unified management. Of course, these products only provide some design foundations, and they must use their API to perform extensions such as data modes, strategies, and applications. In order to meet the needs of large-capacity users, they must also design the directory. The tree structure of the server is to ensure that the largest traffic control is smooth.
With the continuous development of ASP mode, and various integration methods, certification technologies, authorization technology improvements, the system will continue to optimize upgrade, platform integration technology will gradually develop from user interface integration to business logic business process integration direction, safe The certification system will also be continuously optimized and improved. references
[1] zhou nande. Study on asp-based information technology with multiple Ties [J]. Computer Application Research, 2004, 4: P55 ~ 57 (IN Chinese) [Research on multilayer structure information technology [J ]. Computer Application Research, 2004, 04: 55 ~ 57]
[2] XIAO WANGXIAN, LIU Jiangning. Research on Model of Enterprise Data Integration [J]. Computer Engineering and Science, 2004, 26 (5): P49 ~ 51 (in Chinese) [Xiao Wanxian, Liu Jiangning. Enterprise Data Integration Model Research [J]. Computer Engineering and Science, 2004, 26 (5): 49 ~ 51]
[3] CHEN Hongbing, Sun Xia. Study On Single Sign-on Technology [J]. Computer Time, 2004, 5: P3 ~ 4 (in Chinese) [Cheng Hongbin, Sun Xia. Research on single sign-on technology [J]. Times, 2004, 5: 3 ~ 4]
[4] Huang Kai, Chen Yun, Yan Ruzhong, et al. Research and application of role-based Access Control in B / S System [J] .Computer Engineering and Application, 2003, 20, P227 ~ 229 (in Chinese) Huang Kai, Chen Yun, Yan Ruzhong, et al. Research and Application of B / S System Access Control Based on Role [J]. Computer Engineering and Applications, 2003, 20: 227 ~ 229]
[5] Zhang Jing, Tang Yiping. Realization of RBAC Model Based on LDAP AND EJB [J] .Computer Application, 2003, 23: P131 ~ 133 (in Chinese) [Zhang Jin, Tang Yiping] RBAC Model Based on LDAP and EJB Realization [J]. Computer Applications, 2003, 23: 131 ~ 133]
[6] Tang Jianping. Construction of Fundamental Information Platform of Enterprise Based on The Technology of LDAP [J] .Computer Application, 2003, 11: P66 ~ 68 (IN China) [Tang Jianping. Enterprise Basic Information Platform Based on LDAP Technology [ Computer Applications, 2003, 11: 66 ~ 68]
[7] Sun One Identity Server's Document (in english): http://docs.sun.com/app/docs/doc/817-5706
