SDBatis:基于MyBatis和CBAC的数据库应用访问控制  被引量：11

作　　者：叶茂林 余发江[1] YE Maolin;YU Fajiang(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,Hubei,China)

机构地区：[1]空天信息安全与可信计算教育部重点实验室武汉大学国家网络安全学院,湖北武汉430072

出　　处：《武汉大学学报（理学版）》2022年第1期57-64,共8页Journal of Wuhan University:Natural Science Edition

基　　金：国家自然科学基金(61772384)。

摘　　要：大部分应用都以数据库作为数据保存的工具,由于应用的日益复杂,现有的访问控制机制存在安全性不高、开发繁琐,难以维护等问题。为此,本文提出一种新访问控制系统SDBatis。SDBatis以CBAC(Context-Based Access Control,基于上下文的访问控制)作为访问控制模型,使用MyBatis插件开发,定义了SDBatis中的访问控制策略。在保证访问控制功能模块独立的前提下,只需在持久层制定访问控制策略、配置获取当前应用用户上下文属性就能够完成访问控制工作;SDBatis支持基于上下文的访问控制和对数据库的行级访问控制。本文实现了SDBatis的一个原型,并对SDBatis进行了测试。测试结果表明,SDBatis降低了访问控制开发的成本,能适应动态变化的访问环境,保证数据库内数据的安全,且增加的访问控制时间在可接受范围内。Most applications used database as a tool for data storage.Due to the increasing complexity of applications,there were some problems in current access control system,such as low security,cumbersome development and difficult maintenance.Therefore,this paper proposed a new access control system:SDBatis.SDBatis took CBAC(context based access control)as the access control model,developed by using MyBatis plug-in,and defined the access control policy.Under the premise of ensuring the independence of the access control function module,the access control work could be completed only by formulating the access control policy in the persistence layer,configuring ways of obtaining the context attributes of the current application user,SDBatis supported context based access control and row level access control to the database.This paper implemented a prototype of SDBatis and made a test.The test results show that SDBatis reduces the cost of access control development,can adapt to the dynamic access environment,ensure the security of data in the database,and increased access control time is in an acceptable range.

关 键 词：访问控制 数据库 MyBatis CBAC(context-based access control) 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]