Up: Distributed Security System

Distributed Security System - The Concept

Our enforcement framework for distributed security for selective access of clients to resources, is given in Figure 1. Below the dashed gray line is the distributed application, which consists of clients, resources, and replicated JINI/CORBA Lookup Services, which arbitrates all interactions by resources (e.g., discovering Lookup Services, registering services, renewing leases, etc.) and by clients (e.g., discovering Lookup Services, searching for services, service invocation, etc.). In JINI/CORBA, resources register services, which contains a service object for the public methods available to clients. The service object is registered as a proxy, which contains all of the information that is needed to invoke the service. Each service consists of methods (similar to an API) that are provided for use by clients (and other resources). The registration of services occurs via a leasing mechanism, by which a service can be registered for a fixed time period or forever (no expiration).  The lease must be renewed by the resource prior to its expiration, or the service will become unavailable. Since JINI makes the services of a resource are available to any and all clients without restriction, our enforcement framework provides an infrastructure in support of role-based security in a Distributed Resource Environment(DRE).

In the top half of Figure 1, we represent the security-related clients and resources that comprise our enforcement framework. We have combined the three security resources into a unified security resource (USR).  The services are organized into the categories:

กค        Security Policy Services define user roles, allow resources to register their services and methods, and grant of access by user roles to resources, services, and/or methods.

กค        Security Authorization Services are utilized to maintain profiles on the clients (e.g., users, tools, software agents, etc.) that are authorized and actively utilizing non-security services. These services allow a security officer to authorize users to roles.

กค        Security Registration Services utilized by clients at start-up time for identity registration (client id, IP address, and user role). These services allow a security officer to monitor the activity of active clients.

In addition to USR, there are the following: A Security Policy Client (SPC) that enables the security officer to manage user roles by granting/revoking privileges (resources, services, and/or methods) to user roles, and to support introspection of defined security privileges. A Security Authorization Client (SAC) that enables the security officer to authorize roles to an end user. A Global Clock Resource (GCR) that is instrumental in supporting time-constrained access resources (and their services/methods) by user role.


Last Modified: Feb 2, 2002