Role-Based Security in a Distributed Resource Environment*OverviewGoals of Our Research EffortSun’s JINI TechnologySun’s JINI Technology Key JINI Concepts and TermsSun’s JINI Technology Join, Lookup, and Service InvocationProposed Software Architecture for Role-Based SecuritySlide 8Security Resources and ServicesThe Services of the Role-Based Privilege ResourceThe Services of the Authorization-List ResourceThe Services of the Security Registration ResourceSecurity Client and Resource InteractionsClient Interactions and ProcessingTwo Experimental PrototypesExperimental Prototype One JINI Prototype of Role Based ApproachExperimental Prototype One Execution ProcessExperimental Prototype Two The Security Client PrototypeRecall Security Resources and ServicesExperimental Prototype Two Role-Based Privilege Resource & ServicesExperimental Prototype Two Authorization List Resource & ServicesExperimental Prototype Two Security Registration Resource & ServicesRelated WorkConclusionsFuture WorkSlide 26IFIP 2000-1Profs. Steven A. Demurjian and T.C. TingJ. Balthazar, H. Ren, and C. PhillipsComputer Science & Engineering Department191 Auditorium Road, Box U-155The University of ConnecticutStorrs, Connecticut 06269-3155http://www.engr.uconn.edu/[email protected] Role-Based Security in a Distributed Role-Based Security in a Distributed Resource Environment*Resource Environment*Dr. Paul BarrThe MITRE Corp145 Wyckoff RoadEatontown, New Jersey [email protected]*This work supported in part by a research contract from the Mitre Corporation (Eatontown, NJ) and a research grant from AFOSRIFIP 2000-2OverviewOverviewGoals of Our Research EffortGoals of Our Research EffortSun’s JINI TechnologySun’s JINI TechnologyA Software Architecture for Role-Based SecurityA Software Architecture for Role-Based SecurityProposed Software ArchitectureSecurity Resources and ServicesSecurity Client and Resource InteractionsClient Interactions and ProcessingExperimental Prototypes Experimental Prototypes JINI Prototype of Role Based ApproachSecurity Client PrototypeRelated WorkRelated WorkConclusions and Future WorkConclusions and Future WorkIFIP 2000-3Goals of Our Research EffortGoals of Our Research EffortIncorporation of Role-Based Approach within Incorporation of Role-Based Approach within Distributed Resource EnvironmentDistributed Resource EnvironmentHighly-Available Distributed Applications Constructed Using Middleware ToolsDemonstrate Use of JINI to Provide Selective Access of Clients to Resources Based on RolePropose Software Architecture and Role-Based Propose Software Architecture and Role-Based Security Model forSecurity Model forAuthorization of Clients Based on RoleAuthentication of Clients and ResourcesEnforcement so Clients Only Use Authorized Services (of Resource)Propose Security Solution for Distributed Propose Security Solution for Distributed Applications for Clients and Services (Resources)Applications for Clients and Services (Resources)IFIP 2000-4Sun’s JINI TechnologySun’s JINI TechnologyConstruct Distributed Applications Using JINI by Construct Distributed Applications Using JINI by Federating Groups of UsersResources Provide Services for UsersA A ResourceResource Provides a Set of Services for Use by Provides a Set of Services for Use by Clients (Users) and Other Resources (Services)Clients (Users) and Other Resources (Services)A A ServiceService is Similar to a Public Method is Similar to a Public MethodExportable - Analogous to APIAny Entity Utilized by Person or ProgramSamples Include:Computation, Persistent Store, Printer, SensorSoftware Filter, Real-Time Data SourceServices: Concrete Interfaces of ComponentsServices Register with Services Register with Lookup ServiceLookup ServiceIFIP 2000-5Sun’s JINI TechnologySun’s JINI TechnologyKey JINI Concepts and TermsKey JINI Concepts and TermsRegistrationRegistration of Services via of Services via Leasing MechanismLeasing MechanismResource Leases Services to Lookup ServiceResources Renew Services Prior to ExpirationIf not, Services Become UnavailableLookup Service Maintains RegistryServices as Available “Components”Leasing Supports High-AvailabilityLeasing Supports High-AvailabilityRegistration and Renewal ProcessUpon Failure, Services Removed from RegistryClients, Resources, Lookup Can Occupy Same or Clients, Resources, Lookup Can Occupy Same or Different Computing NodesDifferent Computing NodesIFIP 2000-6Sun’s JINI TechnologySun’s JINI TechnologyJoin, Lookup, and Service InvocationJoin, Lookup, and Service InvocationClientResourceService ObjectService AttributesLookup ServiceRequestServiceAddCourse(CSE900)ReturnServiceProxy toAddCourse( )JoinRegister & Lease Services CourseDB ClassContains Method AddCourse ( )1. Client Invokes AddCourse(CSE900) on Resource2. Resource Returns Status of InvocationService Invocation via Proxy by Transparent RMI CallService ObjectService AttributesRegistry of EntriesIFIP 2000-7Proposed Software ArchitectureProposed Software Architecturefor Role-Based Securityfor Role-Based SecurityMany Current Lookup ServicesMany Current Lookup ServicesSuccessfully Dictates Service UtilizationRequires Programmatic Solution for SecurityDoes Not Selectively and Dynamically Control Access Based on Client RoleSecurity of a Distributed Resource Should Selectively Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services and Dynamically Control Client Access to Services Based on the RoleBased on the RoleOur ApproachOur ApproachDefine Dedicated Resources to Authorize, Authenticate, and Enforce Security by Role Proposed ResourcesRole-Based Privileges, Authorization List, Security RegistrationIFIP 2000-8Proposed Software ArchitectureProposed Software Architecturefor Role-Based Securityfor Role-Based SecurityResources Provide ServicesClients Using ServicesFigure 3.1: General Architecture of Clients and Resources.Role-BasedPrivilegesAuthorizationListSecurity RegistrationLegacyCOTSCOTSDatabaseDatabase LookupServiceLookupServiceJavaClientJavaClientLegacyClientDatabaseClientSoftwareAgentCOTSClientIFIP 2000-9Security Resources and ServicesSecurity Resources and ServicesRole-Based Privileges ResourceRole-Based Privileges ResourceDefine User-roleGrant/Revoke Access of Role to
View Full Document