计算机工程与应用 ›› 2013, Vol. 49 ›› Issue (16): 107-112.

• 网络、通信、安全 • 上一篇    下一篇

基于SAML的PEP与PDP通信模型设计与实现

李云鹏,李景峰   

  1. 解放军信息工程大学,郑州 450004
  • 出版日期:2013-08-15 发布日期:2013-08-15

Communication model design and implementation between PEP and PDP based on SAML

LI Yunpeng, LI Jingfeng   

  1. PLA Information Engineering University, Zhengzhou 450004, China
  • Online:2013-08-15 Published:2013-08-15

摘要: 针对XACML访问控制模型实体间授权请求与响应的传输问题,提出一种灵活、可扩展的策略执行点PEP与策略决策点PDP通信模型。根据OASIS对SAML规范进行的扩展,该模型中的SAML处理模块将XACML授权请求与响应封装成为SAML授权请求与响应,利用Spring Web Service架构实现模型中的PEP-WS模块和PDP-WS模块,对SAML授权请求与响应进行传输。该模型能够实现XACML授权请求与响应传输的透明性,将实现方式不同的PEP与PDP进行集成,增强了XACML访问控制模型部署的灵活性和可扩展性。

关键词: 可扩展访问控制标识语言, 策略执行点, 策略决策点

Abstract: Against the problem of transmitting authorization request and response between the entities of XACML access control model, this paper proposes a flexible, scalable communication model between PEP and PDP. According to the extension of SAML specification, XACML authorization request and response are packaged as SAML authorization request and response.  Spring Web Service architecture is used to implement the PEP-WS modules and PDP-WS modules which are responsible for transmitting SAML authorization request and response. The model is designed to achieve the transparency of transmission of authorization request and response, will achieve the integration of PEP and PDP, and enhance the flexibility and scalability of XACML access control model deployment.

Key words: eXtensible Access Control Markup Language(XACML), policy enforcement point, policy decision point