| Comprehensive access control management and effective SQL injection prevention are twoimportant aspects to ensure the Web application security. Based on the summary of presentresearch situation and novel methods of rolebased access control and SQL injection prevention,a finegrained access control model based on RBAC and a SQL injection prevention based onparse tree are proposed. The main works are as follows:In RBAC model, a user can not obtain part permissions of a role, and a role can not inheritpart permissions of another role. The set without permissions and the set of permissions cannotbe inherited are introduced. A finegrained access control based on RBAC model is proposed inthis paper. The algorithms for solving the set of permissions belongs to a role or a user arepresented. The model is testified by examples which proves the proposed model effectivelysolved both problems including a user can obtain part permissions of a role, and a role caninherit part permissions of another role.For Web systems are vulnerable to SQL injection attacks, a SQL injection prevention basedon parse tree is proposed. Through experiment analysis, this method can effectively prevent SQLinjection attacks, and also protect the data information security. Meanwhile, the time fordetecting SQL injection using this method is millisecond, so the impact on running time ofsystem is small.Finegrained access control and SQL injection prevention are integrated to the SSH(SpringMVC, Spring and Hibernate) framework, which not only provides flexible and efficientaccess control management, but also provides SQL injection attacks prevention function of Webapplication systems.Based on the SSH framework, which integrate finegrained access control and SQLinjection prevention, the University Reform and Development Project Management System ofZhejiang province is designed and implemented finally. |
PDF Full Text Request