计算机科学 ›› 2018, Vol. 45 ›› Issue (9): 224-229.doi: 10.11896/j.issn.1002-137X.2018.09.037
韩道军1,2, 原万里2, 段晓宇2, 张磊2
HAN Dao-jun1,2, YUAN Wan-li2, DUAN Xiao-yu2, ZHANG Lei2
摘要: 访问控制策略的描述与执行是信息系统资源保护的一种重要方式,影响到系统的业务化运行。针对目前评估效率较低的问题,研究人员提出了基于属性缓存和重排序等策略的评估方法,该方法提高了策略的评估效率,但尚未解决策略评估需要遍历所有相关规则的问题。针对此问题,在分析XACML(eRxtensible Access Control Markup Language)描述特点的基础上,利用属性与或矩阵和类型分析,提出一种基于属性与或矩阵和类型分析的XACML策略查询方法,以减少策略评估实施时的规则匹配数量。该方法修改了现有Context Handler的处理过程,增加了一个访问控制规则匹配预处理环节,在该环节中计算得出每个规则属性的区分度,利用区分度和属性与或矩阵筛选掉与当前访问控制请求无关的规则,然后对筛选后的规则集合进行匹配,提高策略评估效率。最后通过实验验证了所提方法的有效性。
中图分类号:
[1]WANG Y Z,FENG D G.A Conflict and Redundancy Analysis Method for XACML Rules [J].Chinese Journal of Computers,2009,32(3):516-530.(in Chinese) 王雅哲,冯登国.一种XACML规则冲突及冗余分析方法[J].计算机学报,2009,32(3):516-530. [2]NIU D H,MA J F,MA Z,et al.HPEngine:high performance XACML policy evaluation engine based on statistical analysis[J].Journal on Communications,2014,35(8):206-215.(in Chinese) 牛德华,马建峰,马卓,等.基于统计分析优化的高性能XACML策略评估引擎[J].通信学报,2014,35(8):206-215. [3]WANG Y Z,FENG D G,ZHANG L W,et al.XACML policy evaluation engine based on multi-level optimization technology [J].Journal of Software,2011,22(2):323-338.(in Chinese) 王雅哲,冯登国,张立武,等.基于多层次优化技术的XACML策略评估引擎[J].软件学报,2011,22(2):323-338. [4]QI Y,CHEN J,LI Q M.XACML policy evaluation optimization method based on reordering [J].Journal of Nanjing University of Science and Technology,2015,39(2):187-193.(in Chinese) 戚湧,陈俊,李千目.一种基于重排序的XACML策略评估优化方法[J].南京理工大学学报,2015,39(2):187-193. [5]CHEN J.The research on XACML strategy optimization method [D].Nanjing:Nanjing University of Science and Technology,2015.(in Chinese) 陈俊.XACML策略优化方法研究[D].南京:南京理工大学,2015. [6]CHEN W H,WANG N N.Research on XACML policy evaluation optimization technology [J].Application Research of Computer,2013,30(3):900-905.(in Chinese) 陈伟鹤,王娜娜.基于XACML的策略评估优化技术的研究[J].计算机应用研究,2013,30(3):900-905. [7]QI Y,CHEN J,LI Q M,et al.XACML strategy optimization method based on redundancy elimination and attribute numericalization [J].Journal of Computer Science,2016,43(2):163-168.(in Chinese) 戚湧,陈俊,李千目.基于冗余消除和属性数值化的XACML策略优化方法[J].计算机科学,2016,43(2):163-168. [8]eXtensible Access Control Markup Language(XACML) Version 3.0 [EB/OL].http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc. [9]XACML 2.0 conformances tests [EB/OL].http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip. [10]Sun’s XACML Implementation [EB/OL].http://sunxacml. sourceforge.net. [11]Enterprise XACML Implementation [EB/OL].http://source-forge.net/projects/java-xacml. |
[1] | 王萌, 丁志军. 一种新的设备指纹特征选择及模型构建方法 New Device Fingerprint Feature Selection and Model Construction Method 计算机科学, 2020, 47(7): 257-262. https://doi.org/10.11896/jsjkx.190900107 |
[2] | 王瑞杰, 李军怀, 王侃, 王怀军, 商珣超, 徒鹏佳. 基于改进特征子集区分度的行为识别特征选择方法 Feature Selection Method for Behavior Recognition Based on Improved Feature Subset Discrimination 计算机科学, 2020, 47(11A): 204-208. https://doi.org/10.11896/jsjkx.200100030 |
[3] | 卢秋如,陈建平,马海英,陈韦旭. 一种可扩展访问控制标记语言的策略优化算法 Optimization Algorithm for Extensible Access Control Markup Language Policies 计算机科学, 2017, 44(12): 115-119. https://doi.org/10.11896/j.issn.1002-137X.2017.12.023 |
[4] | 曹宛恬,于鹏飞. XACML的移动应用安全策略及测试方法 Mobile Application Security Policies and Testing Research on XACML 计算机科学, 2017, 44(11): 134-145. https://doi.org/10.11896/j.issn.1002-137X.2017.11.021 |
[5] | 罗元,孙龙. 一种新的鲁棒声纹特征提取与融合方法 New Method of Robust Voiceprint Feature Extraction and Fusion 计算机科学, 2016, 43(8): 297-299. https://doi.org/10.11896/j.issn.1002-137X.2016.08.060 |
[6] | 刘晓建,王力生,廖新考. 基于CP-ABE和XACML多权限安全云存储访问控制方案 Multiple Permissions Secure Access Control Scheme Combining CP-ABE and XACML in Cloud Storage 计算机科学, 2016, 43(3): 118-121. https://doi.org/10.11896/j.issn.1002-137X.2016.03.024 |
[7] | 戚湧,陈俊,李千目. 基于冗余消除和属性数值化的XACML策略优化方法 XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization 计算机科学, 2016, 43(2): 163-168. https://doi.org/10.11896/j.issn.1002-137X.2016.02.036 |
[8] | 成红红,张晓琴,李飞江,钱宇华. 一种对应约束的决策表属性约简算法 Decision Table Attribute Reduction Algorithm Based on Correspondence Constraints 计算机科学, 2015, 42(6): 50-53. https://doi.org/10.11896/j.issn.1002-137X.2015.06.011 |
[9] | 倪 川,黄志球,王珊珊,黄传林. 基于属性的支持策略本体推理的访问控制方法研究 Attribute-based Access Control Method Supporting Policies Ontology Reasoning 计算机科学, 2015, 42(3): 96-101. https://doi.org/10.11896/j.issn.1002-137X.2015.03.020 |
[10] | 李冬辉,张斌,费晓飞,刘洋. 基于多值属性分量的XACML策略匹配算法 Algorithm of Matching to XACML-Policy Based on Component of Multi-valued Attribute 计算机科学, 2014, 41(6): 104-107. https://doi.org/10.11896/j.issn.1002-137X.2014.06.021 |
[11] | 唐卓,刘国华,李肯立. 多域环境下工作流访问控制时序策略组合研究 Research on Workflow Access Control Temporal Policy Combine in Multi-domains 计算机科学, 2011, 38(1): 125-129. |
[12] | 文俊浩,曾骏,张志宏. SOA中基于属性的访问控制安全策略 Security Policy of Attribute-based Access Control in SOA 计算机科学, 2010, 37(9): 147-150. |
[13] | 霍远国,马殿富,刘建,李竹青. 面向Web服务资源的两层访问控制方法 Attribute-based Two Level Access Control for Web Service Resources 计算机科学, 2010, 37(7): 125-129. |
[14] | . 分布式联动系统中的多级委托策略研究 计算机科学, 2009, 36(6): 85-88. |
[15] | . 基于SAT求解的面向对象程序类型分析 计算机科学, 2009, 36(1): 256-262. |
|