作　　者： (杨永群）; (章翔凌）; (黄勤龙）; (肖志恒）;

机构地区： 北京双洲科技有限公司,北京100101

出　　处： 《网络空间安全》 2017年第8期43-47,共5页

摘　　要： 针对现有Web应用访问控制的不足,在基于角色的访问控制模型基础上提出一种基于代理的Web应用安全管控方法。首先,根据用户访问控制的需求,以页面为单位划分Web应用的业务功能,构建角色-功能的访问控制模型,实现用户对Web应用功能的细粒度访问控制;其次,对Web应用安全管控系统的整体架构及各功能模块进行设计,通过代理的方式在Web应用前端部署管控系统,控制用户对Web应用系统的所有访问行为,阻止未授权用户的Web应用访问,并最大程度减少对现有Web应用系统的改动;最后,对系统进行了实现,结果表明系统能有效地实现电子政务等Web应用的安全管控。 Aiming at the shortcomings of access control models in current web systems, a web application security control framework based on proxy is proposed on the basic of role-based access control. Firstly,according to the requirements of user access control, the business functions of web application are divided by page, and a role-function access control model is built, which achieves fine-grained access control of web application functions. Secondly, we design the architecture of a web application security control system and its functional module, in which the control proxy is deployed in the front-end of web application, and it makes the access behavior of user to the web application functions is under control and the unauthorized access to the web application is blocked. In this way, it can minimize the changes to existing web applications. Finally, we implement the designed system and the result shows that the system can achieve effective security control of electronic government and other web applications.

关 键 词： 应用 应用代理 安全管控 访问控制