- 學位論文
基於角色的權限控管至網路資料庫之研究
A Study of Role-Based Access Control for Web Database
摘要
網際網路帶給人們很多便利。但相對的,在網際網路上也是充斥著很多攻擊,也有不肖的使用者竊取其他人的私密資料。由於私密資料外流可能會造成某些人的困擾且不當的使用者有可能會造成資料隱碼的攻擊,所以如何保護網路資料庫的安全便大大的被需要且對於解決這些攻擊的方法還是不足夠的。 我們提供了一個方法來保護網路資料庫。這方法是基於角色的存取控管的觀念。對於資料庫裡的資料表,先利用角色來建立不同的檢視表。當程式開發者想要使用某資料表時,便可利用角色來選擇適當的檢視表,或者是利用自定的函數來取得資料,也可利用檢視表和自定函數結合來取得所需的資料。將使用一份XML文件來判斷某角色是否有權限使用某檢視表。如此的方法,可把原本在程式部份所作的存取控管移至資料庫部份。
並列摘要
SQL injection is a common type of database attacks in a web-based system. Parameterized view is an approach to SQL injection defense by transferring a user’s identification to databases to provide access control. But in the original form of parameterized view method, a view and an associated key were created for each user. In this thesis, we proposed to add role-based access control mechanism to the parameterized view. A view is created for each role, but not for each user, to reduce the number of views needed to be created. The identity of a user is mapped to a role, which is then used to create a view for that role. This view can thus be accessed by users of that role. An example system is also implemented for illustration.