计算机科学与探索 ›› 2014, Vol. 8 ›› Issue (5): 572-581.DOI: 10.3778/j.issn.1673-9418.1311022

• 系统软件与软件工程 • 上一篇    下一篇

J2EE应用软件的架构安全评估方法

杜长霄1,李晓红1,2+,石  红1,冯志勇1,2   

  1. 1. 天津大学 计算机科学与技术学院,天津 300072
    2. 天津大学 认知计算与应用重点实验室,天津 300072
  • 出版日期:2014-05-01 发布日期:2014-05-05

Security Evaluation Method for the Architecture of J2EE Applications

DU Changxiao1, LI Xiaohong1,2+, SHI Hong1, FENG Zhiyong1,2   

  1. 1. School of Computer Science and Technology, Tianjin University, Tianjin 300072, China
    2. Key Laboratory of Cognitive Computing and Application, Tianjin University, Tianjin 300072, China
  • Online:2014-05-01 Published:2014-05-05

摘要: 为了识别J2EE架构设计中潜在风险以及评估J2EE安全机制的实施程度,提出了一种基于组件安全属性的J2EE架构安全性评估方法。该方法关注于架构安全机制的实施力度,将架构的安全性细化到组件层,并使用安全属性树描述组件的安全机制,从而进行评估。在评估时,首先依据J2EE层次和组件功能对组件进行分类,然后采用层次分析法和模糊评价法计算组件安全性评估要素,最后综合组件安全性要素得出J2EE设计的安全性结论。实验表明该方法提高了评估效率,使得J2EE架构安全性评估过程更具客观性和精确性。

关键词: J2EE, 安全性评估, 组件, 安全属性树形模型

Abstract: In order to identify potential risks of J2EE architecture and assess the implementation of J2EE security mechanisms, this paper presents a quantitative J2EE security evaluation method based on the security of components. The method focuses on efforts to architecture security mechanism through refining the security of architecture to component level and describing component security mechanism by security tree. In this process, components of J2EE architecture are classified and their security measures are identified according to the component function and J2EE level. Then, an integration process of analytic hierarchy process (AHP) and fuzzy evaluation analysis is used to consider quantitative and qualitative factors in evaluating the security of components to obtain security conclusions of architecture. The experiments show that this method can not only improve the evaluation efficiency, but also make the security evaluation process more objective and accurate.

Key words: J2EE, security evaluation, component, security tree model