中文摘要：

Web服务安全问题集中表现在信任建立、端到端消息安全保障以及资源访问控制等方面.传统的Web安全框架如Atlassian Seraph和Apache Shiro无法同时解决消息安全保护和跨域访问控制的问题.本文提出并实现一种基于Kerberos的Web服务安全框架——KBW2SF,它包括用户认证、消息安全通信、服务访问控制三个核心功能.用户认证使用Kerberos作为底层协议在服务请求发和提供方之间建立信任关系;安全通信使用WSSecurity规范及Kerberos票据中的密钥保证消息端到端的完整性和机密性;服务访问控制基于Kerberos票据中的用户角色信息,由服务提供方对来访用户进行角色映射（跨域访问）和权限鉴定,以此保护服务资源不被非法或者低权限用户访问.同时,KBW2SF引入缓存管理机制提高应用效率,降低安全机制对Web服务应用的影响程度.通过应用场景的实验分析,该框架不但能够有效解决Web服务消息的安全性以及跨域访问控制问题,而且具有较高的效率,具备一定的实际应用价值.

英文摘要：

The security of Web Service has confronted with a series of challenges, such as the establishment of the trust model among the different communicators, the guarantee of the confidential messages from end to end, and the accomplishment of cross-domain access control to various service resources. This paper proposes a new secure framework for web service based on Kerberos which named KBW2SF. It is made up of three core modules： authentication, secure communication and access control. Moreover, aiming to minimize the influence of security features on the performances of Web applications, KBW2SF utilizes caching mechanism to promise the efficiency of application and assesses it through an experiment. The result shows KBW2SF could resolve the security problems in Web applications effectively and efficiently.