CN1744599B - A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ - Google Patents
A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ Download PDFInfo
- Publication number
- CN1744599B CN1744599B CN 200510044822 CN200510044822A CN1744599B CN 1744599 B CN1744599 B CN 1744599B CN 200510044822 CN200510044822 CN 200510044822 CN 200510044822 A CN200510044822 A CN 200510044822A CN 1744599 B CN1744599 B CN 1744599B
- Authority
- CN
- China
- Prior art keywords
- authorization
- authentication
- management system
- logic
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
本发明提供一种基于JAAS和AspectJ程序的机群管理系统认证和授权的方法。JAAS程序把认证和授权的逻辑从系统程序中分离出来,利用AspectJ程序编译器把授权逻辑和机群管理系统的通用逻辑交织在一起,然后利用JAAS程序的配置文件配置用户登录对用户进行认证和授权,该方法利用JAAS和AspectJ程序相互配合实现了机群中方法级别和结点级别的认证和授权方法,通过该方法可以提供灵活、方便的指定不同的用户在不同的结点上执行不同的操作的机制。该方法把安全逻辑从通用的机群管理系统的管理逻辑中分离出来,实现灵活地配置认证方法和授权策略,使得通用管理系统功能的开发和安全机制的开发独立进行,简洁、高效的解决了管理系统软件自身的安全问题。The invention provides a method for authentication and authorization of a fleet management system based on JAAS and AspectJ programs. The JAAS program separates the logic of authentication and authorization from the system program, uses the AspectJ program compiler to interweave the authorization logic with the general logic of the cluster management system, and then uses the configuration file of the JAAS program to configure user login to authenticate and authorize users , this method uses JAAS and AspectJ programs to cooperate with each other to realize the authentication and authorization methods at the method level and node level in the cluster. This method can provide flexible and convenient designation of different users to perform different operations on different nodes mechanism. This method separates the security logic from the management logic of the general fleet management system, realizes the flexible configuration of authentication methods and authorization strategies, makes the development of general management system functions and the development of security mechanisms independent, and solves the problem of management in a simple and efficient manner. The security issues of the system software itself.
Description
1, technical field
The present invention relates to a kind of Computer Applied Technology, the safe practice in the cluster management specifically, or relate to a kind of method of the cluster management system authentication and authorization based on JAAS and AspectJ.
2, background technology
A group of planes is exactly by high performance network or local area network that one sets of computer system (node) is interconnected, the computer cluster system of the high-performance with single system mapping of formation, high available, enhanced scalability, high performance price ratio.Because it is with respect to the high availability of traditional large-scale computer and the advantage of low price, become a kind of popular trend with group of planes structure supercomputer or superserver.But Network of Workstation is loosely organized, node independence is strong, network connect complicated, and, along with the increase of nodal point number, to a group of planes administer and maintain the more and more difficult of change, increased the TCO of system.
In order to administer and maintain Network of Workstation, popular mode is to build one deck operating system software again to manage a whole group of planes on the operating system of each node computer at present, is referred to as PC cluster or is called cluster management system.Cluster management system is the part of Network of Workstation software, almost is in the top layer of systems soft ware, and it plays managerial role to soft, the hardware of a whole group of planes, for the system manager and the end user of a group of planes provides service.Basic characteristics of Network of Workstation are " whole systems present to the user be the reflection of triangular web ", the control support of management system overall processes such as the planning that cluster management comprises on the single control desk a group of planes for the realization of this target should be provided at, installation, configuration, monitoring, regular maintenance, start and close.Cluster management system should provide multi-functional, the easy use of a cover, extendible practicability management tool, helps the keeper to monitor the operating state of a whole group of planes, guarantees efficient, the stable operation of Network of Workstation.
Because management system can be managed soft, the hardware resource of a whole group of planes, when the management system convenience is provided, also increased the risk of system safety aspect, if there is not the administrative mechanism of user's authentication and authorization, the user of management system is the resource of operating system arbitrarily, brings infringement for the safety of system.The management function of a group of planes is abundant unusually, administration order reaches up to a hundred, while is according to user's requirement, may add new management function at any time, new authentication method, change the authority of different user on different node, these flexibilities that require for management system authentication and mandate are very large challenges.
3, summary of the invention
For the method and the closely-coupled problem of management function that exist in the present cluster management about authentication and authorization, Function Coupling problem together for the exploitation and the authentication and authorization of Functions of Management System, the personnel of development management function need embed the logic of authentication and authorization in the code of oneself, and because the node of group of planes particularity independently, each administration order has different authority problems on different nodes.At the problems referred to above, the present invention proposes a kind of method based on authentication and authorization in the cluster management system of JAAS and AspectJ with the java language development, this method can be utilized the technical characteristic of JAAS and AspectJ, need in common administration order, not embed the authentication and authorization code, just can implementation method rank and other authentication of node level and access control, realized the service logic of management system and the loose couplings of security logic, simplified the development of Management System complexity, demand for security more flexibly is provided.
Purpose of the present invention is put forward a kind of method based on authentication and authorization in the cluster management system of JAAS (Java Authentication AuthorizationService) and AspectJ, this method can be utilized JAAS and AspectJ characteristic, need in common administration order, not embed the authentication and authorization code, just can implementation method rank and other authentication of node level and access control, realized the service logic of management system and the loose couplings of security logic.
Cooperatively interact by JAAS program and AspectJ program the logic of authentication and authorization is separated from system program, and utilize the configuration file configure user authentication and authorization information of JAAS program, and utilize the AspectJ compiler that the generic logic of authorization logic and cluster management system is coupled the user is carried out authentication and authorization, this method may further comprise the steps:
A, JAAS program are that each node in the Network of Workstation is provided with different identifiers respectively, are that accessed system resource is distinguished by unit with node in the Network of Workstation then;
B, JAAS program are that cluster management system setting user is by name unique by the entity of distinguishing authentication with the user, by the software that calls cluster management system the user are carried out distinguishing authentication;
C, the user authentication information that utilizes the JAAS program and authorization message configurability are separated user's authentication and authorization logic variation from the logic of general management system;
D, utilize the technique of compiling of AspectJ program that authorization check is coupled in the general service logic, utilize node sign, user name and incision method name information to finish execution scope check incision method.
It is that the resource units sign is distinguished resource that the JAAS program is also utilized the node group of forming with some nodes in the Network of Workstation.
Utilize the configuration file configure user of JAAS program the user to be carried out authentication and authorization in the different management function of different node execution, such as: means such as interpolation/deletion user, start/shutdown, network configuration are carried out authentication and authorization to the user.
Context, node title, method name that the JAAS program utilizes the user to login, inspection different user are carried out the authority of different operating the user are carried out authentication and authorization on different node.
Utilize the user authentication information and the authorization message configurability of JAAS program, user's authentication and authorization logic variation is separated from the logic of general management system;
Utilize the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the general-purpose system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic.
The AspectJ program is utilized the Aspect-oriented programming technology, separate concrete general-purpose system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, removed the coupling of each concrete system management function and Certificate Authority.
Embodiment
In the method for the invention, utilize the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the general-purpose system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic.
In the method for the invention, the AspectJ program is utilized the Aspect-oriented programming technology, separate concrete general-purpose system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, remove the coupling of each concrete system management function and Certificate Authority.
Embodiment
1) in advance for each node in the group of planes is provided with different identifiers respectively, can be machine name, IP address etc., note be nodeName;
2) user of management system is with the unique differentiation of user name in the group of planes, and note is userName;
3) utilize the user authentication information and the authorization message configurability of JAAS program, user's authentication and authorization logic is changed from the logic of general management system, separate;
Utilize JAAS, realize the flexible configuration of authentication and authorization, authentication is confirmed whether validated user of user by checking user password; Authorize, confirm whether the user can carry out associative operation; Concrete configuration is as follows:
A, configure user authentication document, the LoginModule class name that the bright login of document is used, such is used to finish user's certification work, and the configuration of this document meets the policy definition file format of JAAS;
As:
MySecurity{
MyLoginModule?required;
};
This configuration file has defined with MyLoginModule and has been responsible for the authenticated user identity, and such can use the method for various authenticated user, goes to check whether the user can be certified.
B, configure user operating right file, form is as follows:
grant?MyPrincipal″User1″
{
permission?NodePermission″nodeName1″;
permission?NodePermission″nodeName2″;
permission MethodPermission ″void shutDown(String,
LoginContext)″;
permission?MethodPermission″void?addUser(String,LoginContext)″;
};
This document has been realized at different user (as User1) by the strategy file that JAAS provides, on different node (as nodeName1), has been carried out the purpose of different operating (as shutDown).Defined user User1 from strategy file and can carry out shutDwon (shutdown command) as above at nodeName1 and nodeName2.ShutDown (String, LoginContext) parameter of the String type in is the title of node, as nodeName1, the parameter place of LoginContext type is the login context of login user, is used to preserve user's identity information.
4) utilize definition of AspectJ aspect and AspectJ compiler, the authentication and authorization logic is come out from common management system logical separation, concrete steps are as follows:
A, definition cutting point MyAuthorization, this MyAuthorization is defined as
public?aspect?MyAuthorization
{
// definition cutting point; Node is the title of the node of operation, and lc is the context ring of user's login
The border is used to distinguish the user
pointcut Authorization (String node, LoginContext
lc)(args(node,lc)&&execution(**(..));
// following the program segment of execution before the method for incision is carried out:
before(String?node,LoginContext?lc):Authorization(node,lc)
{
The name of the method that // acquisition is cut
String methodName
thisJoinPointStaticPart.getSignature().toString();
// login environment, node name and method name according to the user, carry out scope check:
String?methodName=
thisJoin
StaticPart.getSignature().toString();
Subject.doAsPrivileged(lc.getSubject(),new
AuthPrivilegedAction(node,methodName));
}
}
Above code sample, pointcut Authorization place code has been realized the definition of incision method, before (String node, LoginContext lc) locates to have defined and before the method for carrying out incision, carry out the Subject.doAsPrivileged action, whether can carry out this method according to user, node and the checking of method name.
B, this MyAuthorization and relevant general service logic class are utilized the compiling of AspectJ compiler, authentication logic is coupled in the general service logic goes.
Utilize the crosscut technology of AspectJ, by a and two steps of b, we needn't be as embedding Subject.doAsPrivileged (lc.getSubject () in concrete service logic in the shutDown method, newAuthPrivilegedAction (node, methodName)) such authorization code, can indicate the title of the method that we will cut by definition aspect MyAuthorization, utilize authorization logic the AspectJ compiler to be coupled to and to carry out in the method for authorization logic.
Precondition is, is coupled the title that will comprise the node of String type in the parameter of method, is used for importing into the node title, checks the authority whether manner of execution on this node is arranged; The parameter of LoginContext type is used for passing to the context environmental that the authorization check function provides user's login.
By technical scheme of the present invention as seen, the present invention utilizes JAAS and AspectJ technology to realize a kind of authentication and authorization method at cluster management system.This method utilizes JAAS to realize the flexible configuration in method rank and node level security of authentication and authorization.Utilize AspectJ to realize general management logic and security logic loose couplings, can be implemented in the convenient authorization check that adds in the general management method, solved the authentication and authorization problem of cluster management system self well.
Claims (5)
1. method based on the cluster management system authentication and authorization of JAAS and AspectJ program, it is characterized in that cluster management system cooperatively interacts by JAAS program and AspectJ program separates the logic of authentication and authorization from system program, and utilize the configuration file configure user authentication and authorization information of JAAS program, and utilize the AspectJ compiler that the generic logic of authorization logic and cluster management system is coupled the user is carried out authentication and authorization, this method may further comprise the steps:
A, cluster management system operation JAAS program are that each node in the cluster management system is provided with different identifiers respectively, are that accessed system resource is distinguished by unit with node in the cluster management system then;
B, cluster management system operation JAAS program are that cluster management system setting user is by name unique by the entity of distinguishing authentication with the user, by the software that calls cluster management system the user are carried out distinguishing authentication;
C, cluster management system utilize the configuration file of JAAS program to realize multiple authentication method and delegated strategy separating from the cluster management system programmed logic, promptly not in the logic writing system program of authentication and authorization, but the logic of authentication and authorization is write in the configuration file, read configuration file by system program, according to the authentication and authorization that the requirement of configuration file is correlated with, the coupling of deactivation system management logic and multiple authentication and authorization logic;
D, cluster management system utilize the technique of compiling of AspectJ program that authorization check is coupled in the general service logic, utilize node sign, user name and incision method name information to finish execution scope check to incision method.
2. authentication and authorization method as claimed in claim 1 is characterized in that it is that the resource units sign is distinguished resource that cluster management system operation JAAS program is also utilized the node group of forming with some nodes in the cluster management system.
3. authentication and authorization method as claimed in claim 1 is characterized in that cluster management system utilizes the configuration file configure user of JAAS program to carry out different management functions in different node, so that the user is carried out authentication and authorization.
4. authentication and authorization method as claimed in claim 1, it is characterized in that: context, node title and method name that cluster management system operation JAAS program utilizes the user to login, the inspection different user is carried out the authority of different operating on different node, so that the user is carried out authentication and authorization.
5. authentication and authorization method as claimed in claim 1, it is characterized in that cluster management system moves the AspectJ program and utilizes the Aspect-oriented programming technology, separate concrete cluster management system management logic and security logic, the authentication and authorization logic is separated from concrete system management function, removed the coupling of each concrete system management function and Certificate Authority.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510044822 CN1744599B (en) | 2005-09-27 | 2005-09-27 | A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510044822 CN1744599B (en) | 2005-09-27 | 2005-09-27 | A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1744599A CN1744599A (en) | 2006-03-08 |
| CN1744599B true CN1744599B (en) | 2010-04-28 |
Family
ID=36139793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510044822 Expired - Fee Related CN1744599B (en) | 2005-09-27 | 2005-09-27 | A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1744599B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100409626C (en) * | 2006-10-09 | 2008-08-06 | 西安交通大学 | Alarm method in large-scale cluster management monitoring system based on AOP technology |
| CN103841117B (en) * | 2014-03-21 | 2017-06-06 | 北京京东尚科信息技术有限公司 | A kind of JAAS login methods and server based on Cookie mechanism |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001091033A2 (en) * | 2000-05-24 | 2001-11-29 | Sun Microsystems, Inc. | Security architecture for integration of enterprise information system with j2ee platform |
| CN1417683A (en) * | 2001-11-07 | 2003-05-14 | 华为技术有限公司 | Abnormal logic business simulating test device |
| US20040168060A1 (en) * | 2003-02-24 | 2004-08-26 | Paul Patrick | System and method for authenticating a subject |
| US20050149719A1 (en) * | 2003-12-29 | 2005-07-07 | Kilroy John F. | Method and system for providing an authorization framework for applications |
-
2005
- 2005-09-27 CN CN 200510044822 patent/CN1744599B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001091033A2 (en) * | 2000-05-24 | 2001-11-29 | Sun Microsystems, Inc. | Security architecture for integration of enterprise information system with j2ee platform |
| CN1417683A (en) * | 2001-11-07 | 2003-05-14 | 华为技术有限公司 | Abnormal logic business simulating test device |
| US20040168060A1 (en) * | 2003-02-24 | 2004-08-26 | Paul Patrick | System and method for authenticating a subject |
| US20050149719A1 (en) * | 2003-12-29 | 2005-07-07 | Kilroy John F. | Method and system for providing an authorization framework for applications |
Non-Patent Citations (8)
| Title |
|---|
| 王砚霖,王世耆.面向方面编程和AspectJ(一).电脑编程技巧与维护 11.2004,(11),54-60. |
| 王砚霖,王世耆.面向方面编程和AspectJ(一).电脑编程技巧与维护 11.2004,(11),54-60. * |
| 王砚霖,王世耆.面向方面编程和AspectJ(二).电脑编程技巧与维护 12.2004,(12),47-51. |
| 王砚霖,王世耆.面向方面编程和AspectJ(二).电脑编程技巧与维护 12.2004,(12),47-51. * |
| 邓阿群, 厉小军,俞欢军,胡上序.一种新型软件设计方法AOP的研究.系统工程与电子技术 7.2004,(7),970-974. |
| 邓阿群, 厉小军,俞欢军,胡上序.一种新型软件设计方法AOP的研究.系统工程与电子技术 7.2004,(7),970-974. * |
| 高月, 吕国斌, 梁本亮.基于JAAS的JAVA安全应用研究.计算机系统应用 1.2005,(1),68-70. |
| 高月, 吕国斌, 梁本亮.基于JAAS的JAVA安全应用研究.计算机系统应用 1.2005,(1),68-70. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1744599A (en) | 2006-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113114498B (en) | Architecture system of trusted block chain service platform and construction method thereof | |
| US9432350B2 (en) | System and method for intelligent workload management | |
| JP5356221B2 (en) | Convert role-based access control policies to resource authorization policies | |
| US20100220584A1 (en) | Systems and methods for automatically generating system restoration order for network recovery | |
| CN103176817B (en) | A kind of Linux security policy configuration based on self study | |
| US20110066848A1 (en) | Remote certificate management | |
| WO2009017901A1 (en) | Multi-threaded business programming library | |
| CN113407626B (en) | Planning management and control method based on blockchain, storage medium and terminal equipment | |
| CN111353172A (en) | Hadoop cluster big data access method and system based on block chain | |
| CN112837194A (en) | Intelligent system | |
| CN1744599B (en) | A Method of Authentication and Authorization of Fleet Management System Based on JAAS and AspectJ | |
| CN106933605B (en) | Intelligent process identification control method and system | |
| CN114036560A (en) | A blockchain-based charging pile subsidy data management method | |
| CN108092808A (en) | A kind of method for managing security of data center's total management system | |
| CN110007932B (en) | A method for automatic deployment of big data processing system based on local area network | |
| KR101056423B1 (en) | Program Execution Management Method and Record Media Using Logged-In Account Control | |
| CN111199056A (en) | Grading authentication method based on intelligent contract in block chain | |
| CN112000423B (en) | Safety control method and system for software definition storage in InCloud Rail system | |
| Jianjun | Research on Network User Behavior Management System Based on Blockchain Technology | |
| TW202238374A (en) | Provision and management system and method for container infrastructure service and computer readable medium | |
| CN106295399A (en) | Access right control method of SOLR cluster | |
| US20090048888A1 (en) | Techniques for claim staking in a project stage-based environment | |
| Anderson et al. | What is this thing called “system configuration” | |
| TW201351196A (en) | Webpage architecture system with subsystems and verification | |
| Pan et al. | The design and implementation of secure cloud desktop system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100428 Termination date: 20160927 |