Application of the security system of Java EE

Safety mode design of j2ee| Safety | System Electronic Platform

1. Due to the sensitivity of office information of electronic platform and the virtuality and openness of the network, it is decided that the electronic platform system should have strong user access security, network security, system security, application security, database and transaction manager security to ensure the security of electronic platform system. The system uses the Java EE Framework is to meet the above needs, it not only to the security task of some of the contents of the container, and can provide application programmer to complete the function of security tasks.

2, the overall design of the scheme

1, User access security:

User access security is not just Web access, but it includes other types of access, such as electronic Data Interchange (EDI,ELECTRONIC), which we use primarily in electronic platform Systems (interchange) WebService. In order to ensure the security of user access, we mainly consider the following aspects

Ø Definition Verification Method: This part includes the verification of CAs, the basic verification of the system

Ø Define security roles: Create different roles for different users and avoid confusion between different roles in terms of permissions.

Ø define a security role reference for a single servlet/jsp: Define security role references for some of the more specific or higher-security servlet/jsp.

1) Web Access:

Configure the Web system used by the electronic platform system as a secure Web system, using HTTPS protocol to guarantee the security and integrality of the information transmission when the user is required to access the digital certificate; The user information (such as name) obtained from the digital certificate submitted by the user is used as registration in the system, The basis of the login, thus ensuring the legal and non-repudiation when dealing with the business. On the other hand, the HTTPS protocol isolates Web applications from unauthorized access.

1) Web Service

This part of the content is tentative

2, network Security network security is mainly to ensure confidentiality and information integrity, for this we adopted a centralized authentication of the login mode, will have a certificate and no access to certificate users to separate, thus ensuring the security of the network performance. The following is a centralized authentication mode of a network view, where the CA server, is the use of Third-party CA certification authority of the server. " < /f>

Centralized authentication Network Diagram

3. System security

The security of the system is primarily the authentication of the user when the user logs on to the system.

4. Application Security

Java EE application to provide security, because the electronic platform system and centralized authentication system independent, so only need to provide in the electronic platform of Java-related security can guarantee the security of the entire system. Java EE applications Secure use of role-based security, during development, we should determine the security policy of an application by assigning security resources and methods to specific security roles. During application assembly, security roles are mapped to real users and groups. This two-stage security management approach gives applications a great deal of flexibility and portability, and the Java container is responsible for enforcing the resources and methods of access control security at runtime. The Java EE container supports two types of security:

• Descriptive security

• Programmable Security

We use descriptive security in this system, and descriptive security means that the security policy is defined in the deployment description file, not in the application code. To do this, one is to reduce the amount of coding effort, and the second is to change the role according to the customer's requirements, without needing to change the code. Here we will discuss the Web module and the EJB module

1 Description of the Web module security

As we discussed in the previous "User access security", to ensure user access security, we designed the three aspects of defining a validation method, defining a security role, and referring to a single servlet/jsp definition security role, and the Web module's descriptive security is to implement the "Define security role", " Define security role references for individual servlet/jsp "These two requirements, in order to facilitate discussion we will separate the requirements of this discussion.

Several roles that are defined:

Volkswagen users Everyone

Enterprise User Enterprise

QC User organ

City Supervision Bureau City_ Surveillance

Provincial Supervision Bureau Province_ Surveillance

State Supervision Bureau Country_ Surveillance

Platform Administrator Plat _manager

(A) Define authentication methods:

(B) Define Security roles:

(C) Define security constraints:

(D) Define a security role reference for a single servlet/jsp (optional):

2 The explanatory security of EJB module

EJB is the Java component that executes the business logic of an application. It is typically used to access sensitive data. In this way, it is important to assign appropriate policies to the EJB.

Access control applies to individual session and entity bean methods, so only those methods that belong to a particular security role are invoked. Session, entity, and message-driven bean methods are delegated under the identity of the caller (the EJB server) or under a specific security role. This is referred to as a delegate policy (delegation Policy) or a mode map (Run-As mode Mapping) that is run as someone else. The following is mainly the process of setting security on the Wsad of our electronic platform EJB module.

(A) Defining security roles

(B) Assignment of methodological permission

(C) Management of delegated policies

(D) bean-level delegates

(E) Method-Level delegation

(F) Defining security role references (optional)

5. Security of database and transaction manager

Not completed,

3, the system's safe login process

1. A process of centralized authentication and login

  "

2, centralized certification than the advantages of ordinary certification

4, the system development process attention matters

Front Desk: Separate users into their respective modules: Eterprise (Enterprise), organ (organization) and so on, if necessary can define their own, and then do a good job of document description, in order to deploy the Web module for the description of security deployment, specific coding specifications please refer to the relevant documentation.

Background: The different users of some operations into their respective modules: Eterprise (Enterprise), organ (organization) and so on, each module preferably by independent entity beans, if necessary, you can define their own, and then do a good job of document description, in order to deploy the EJB module for the descriptive security deployment. (For the EJB development specification, Jndi naming specification, refer to the EJB Development specification, the JNDI naming convention two documents).

5, summary

Database and transaction manager security this piece of content needs to be supplemented.