Web应用程序安全外文翻译参考文献

互联网Web服务中英文对照外文翻译文献(文档含英文原文和中文翻译)An internet-based logistics management system forenterprise chains.Developing the internet-based application toolWeb services offer new opportunities in business landscape, facilitating a global marketplace where business rapidly create innovative products and serve customers better. Whatever that business needs is, Web services have the flexibility to meet the demand and allow to accelerate outsourcing. In turn, the developer can focus on building core competencies to create customer and shareholder value. Application development is also more efficient because existing Web services, regardless of where they were developed, can easily be reused.Many of the technology requirements for Web services exist today, such as open standards for business to-business applications, mission-critical transaction platforms and secure integration and messaging products. However, to enable robust and dynamic integration of applications, the industry standards and tools that extend the capabilities of to days business-to-business interoperability are required. The key to taking full advantage of Web services is to understand what Web services are and how the market is likely to evolve. One needs to be able to invest inplatforms and applications today that will enable the developer to quickly and effectively realize these benefits as well as to be able to meet the specific needs and increase business productivity.Typically, there are two basic technologies to be implemented when dealing with internet-based applications; namely server-based and client-based. Both technologieshave their strong points regarding development of the code and the facilities they provide. Server-based applications involve the development of dynamically created web pages. These pages are transmitted to the web browser of the client and contain code in the form of HTML and JA V ASCRIPT language. The HTML part is the static part of the page that contains forms and controls for user needs and the JA V ASCRIPT part is the dynamic part of the page. Typically, the structure of the code can be completely changed through the intervention of web server mechanisms added on thetransmission part and implemented by server-based languages such as ASP, JSP, PHP, etc. This comes to the development of an integrated dynamic page application where user desire regarding problem peculiarities (calculating shortest paths, execute routing algorithms, transact with the database, etc.) is implemented by appropriately invoking different parts of the dynamic content of such pages. In server-based applications allcalculations are executed on the server. In client-based applications, JA V A applets prevail. Communication of the user is guaranteed by the well-known JA V A mechanism that acts as the medium between the user and code.Everything is executed on the client side. Data in this case have to be retrieved, once and this might be the time-consuming part of the transaction.In server-based applications, server resources are used for all calculations and this requires powerful server facilities with respect to hardware and software. Client-based applications are burdened with data transmission (chiefly related to road network data). There is a remedy to that; namely caching. Once loaded, they are left in the cache archives of the web browser to be instantly recalled when needed.In our case, a client-based application was developed. The main reason was the demand from the users point of view for personal data discretion regarding their clients. In fact, this information was kept secret in our system even from the server side involved.Data management plays major role in the good function of our system. This role becomes more substantial when the distribution takes place within a large and detailed road network like this of a major complex city. More specifically, in order to produce the proposed the routing plan, the system uses information about:●the locations of the depot and the customers within the road networkof the city (their co-ordinates attached in the map of the city),●the demand of the customers serviced,●the capacity of the vehicles used,●the spatial characteristics of road segments of the net work examined, ●the topography of the road network,●the speed of the vehicle, considering the spatial characteristics of theroad and the area within of which is moved,●the synthesis of the company fleet of vehicles.Consequently, the system combines, in real time, the available spatial characteristics with all other information mentioned above, and tools for modelling, spatial, non-spatial, and statistical analysis, image processing forming a scalable, extensible and interoperable application environment. The validation and verification of addresses of customers ensure the accurate estimation of travel times and distances travelled. In the case of boundary in the total route duration, underestimates of travel time may lead to failure of the programmed routing plan whereas overestimates can lower the utilization of drivers andvehicles, and create unproductive wait times as well (Assad, 1991). The data corresponding to the area of interest involved two different details. A more detailed network, appropriately for geocoding (approximately250,000 links) and a less detailed for routing (about 10,000 links). The two networks overlapped exactly. The tool that provides solutions to problems of effectively determining the shortest path, expressed in terms of travel time or distance travelled, within a specific road network, using the D ijkstra’s algorithm(Winston,1993). In particular, the Dijkstra’s algorithm is used in two cases during the process of developing the routing plan. In the first case, it calculates the travel times between all possible pairs of depot and customers so that the optimizer would generate the vehicle routes connecting them and in the second case it determines the shortest path between two involved nodes (depot or customer) in the routing plan, as this was determined by the algorithm previously. Due to the fact, that U-turn and left-,right-turn restrictions were taken into consideration for network junctions, an arc-based variant of the algorithm was taken into consideration (Jiang, Han, & Chen, 2002).The system uses the optimization algorithms mentioned in the following part in order to automatically generate the set of vehicle routes (which vehicles should deliver to which customers and in which order) minimizing simultaneously the vehicle costs and the total distance travelled by the vehicles This process involves activities that tend to be more strategic and less structured than operational procedures. The system helpsplanners and managers to view information in new way and examine issues such as:●the average cost per vehicle, and route,●the vehicle and capacity utilization,●the service level and cost,●the modification of the existing routing scenario by adding orsubtracting customers.In order to support the above activities, the interface of the proposed system provides a variety of analyzed geographic and tabulated data capabilities. Moreover, the system can graphically represent each vehicle route separately, cutting it o? from the final routing plan and offering the user the capability for perceiving the road network and the locations of depot and customers with all details.物流管理系统发展基于互联网的应用工具Web服务提供的商业景观的新机会，促进全球市场在业务快速推出创新的产品和客户提供更好的服务。

javaweb英文参考文献Below is an example of a reference list for JavaWeb related articles:1. Anderson, J., & Anderson, L. (2018). Building Java Web Services. McGraw-Hill Education.This book provides a comprehensive guide to building Java web services. It covers topics such as creating web services using SOAP and RESTful principles, handling data exchange formats like XML and JSON, and implementing security measures. The book also provides practical examples and code snippets to help readers understand the concepts better.2. Liang, Y. D. (2014). Introduction to Java Programming: Comprehensive Version. Pearson.Although this book is not specifically focused on JavaWeb, it serves as an essential reference for any Java programmer. It covers the basics of Java programming, including object-oriented concepts, control structures, and data types. Understanding these fundamentals is crucial when developing Java web applications.3. Liguori, R., & Liguori, P. (2019). Java Web Development with Servlets, JSP, and EJB. Packt Publishing.This book is a practical guide to Java web development. It introduces the Servlet and JavaServer Pages (JSP) technologies, which are key components in JavaWeb application development. It also covers Enterprise JavaBeans (EJB) and database integration,helping readers build robust and scalable web applications.4. Ambler, S. W. (2015). Agile Modeling: Effective Practices for Extreme Programming and the Unified Process. John Wiley & Sons.Agile modeling is crucial for efficient JavaWeb development. This book introduces various agile practices and principles, such as iterative development, user stories, and test-driven development. It can help developers understand how to adapt their Java web development processes to be more agile and responsive to changing requirements.5. Somekh, A., & Kogan, Y. (2017). Java Web Development: From Beginner to Professional. Apress.This book provides a step-by-step guide to Java web development, starting from the basics and gradually advancing to more complex topics. It covers important concepts such as servlets, JSPs, JavaBeans, and the MVC (Model-View-Controller) architecture, enabling readers to build professional Java web applications.6. Holmes, J., & Brown, J. (2016). Java Web Applications: Servlets, JSP, Frameworks. Prentice Hall.This book offers a comprehensive overview of Java web development, focusing on servlets, JSP, and popular frameworks such as Spring and Struts. It covers topics like session management, authentication and authorization, and integrating databases into Java web applications. The book also provides real-worldexamples and best practices for developing robust and scalable web applications.Remember to check the specific formatting guidelines required by your institution or journal for properly citing the references.。

WEB安全研究金丽君摘要：本文主要针对WEB安全问题越来越引起人们的重视这一现状，初步地介绍了国内外对WEB安全问题的研究现状，全面地介绍和分析了WEB服务和应用中存在的各种威胁，并探讨了WEB安全问题的防护对策，来提高计算机网络的安全性。

关键词：WEB安全、安全威胁、安全防护Abstract：This article will focus WEB security has drawn increasing attention to this situation, the initial introduction to security issues at home and abroad on the WEB Research, a comprehensive description and analysis of the WEB services and applications that exist in a variety of threats, and to explore the WEB security protection measures.一、引言1.1研究背景及目的随着网络时代的来临，人们在享受着网络带来的无尽的快乐的同时，也面临着越来越严重和复杂的网络安全威胁和难以规避的风险，网上信息的安全和保密是一个至关重要的问题。

网络的安全措施应是能全方位地针对各种不同的威胁和脆弱性，这样才能确保网络信息的保密性、完整性和可用性，计算机网络的安全以及防范措施已迫在眉睫。

网络安全评估技术是评价计算机网络安全的重要手段，现今在众多的安全技术中已经占据越来越重要的位置。

通过风险评估，对系统进行细致而系统的分析，在系统分析的基础上对系统进行综合评价，最后通过评价结果来了解系统中潜在的危险和薄弱环节，并最终确定系统的安全状况，为以后的安全管理提供重要依据。

随着Internet的普及，人们对其依赖也越来越强，但是由于Internet的开放性，及在设计时对于信息的保密和系统的安全考虑不完备，造成现在网络的攻击与破坏事件层出不穷，给人们的日常生活和经济活动造成了很大麻烦。

Web信息系统毕业论文中英文资料外文翻译文献中英文资料翻译With the popularity of the Inter NET applications, a variety of Web Information System Has become a pressing issue. Establish the essence of Web information systems Development of a Web repository (database as the core of a variety of Web letter Information storage) as the core Web applications. Currently, the Web repositorydevelopment technologyOperation of a wide range of different characteristics. Various periods at all levels, a variety of purposes Technology co-exist, dizzying mirror chaos, it is difficult to choose. More popular Java of Ser vet Web repository development program a more practical Of choice.Servlet is running the applet on the Web server, can be completed Xu Multi-client Applet can not complete the work, which runs on the server and clients No end, do not download do not by the client security restrictions, the running speed Greatly increasedAnd Applet running in a browser and extend the browser's ability similar Like, Serv the let run in the Web server to enable Java Serv the let engine And expand the capacity of the server. Therefore, we can say Serv the let is run in Applet on a Web server, Serv the let Jav a Ser vlet API And Jav a program of classes and packages.1 Servlet access model2 Serv the let, there are three access models:(1) an access model1 browser to Web server to issue a retrieval request.2 the Web server after receipt of the request, the requestforwarded tothe Servle tengine.3 Serlet engine to perform the requested the Ser vlet and directly throughJDBC4Servlet throughJDBC toretrieve searchresults to generate the html page and Page back to the Web server.5 the Web server the page is sent back to the browser.(2)The second access model1 browser to Web server to issue a retrieval request.2 the Web server receives the request after the request forwardedto the of Ser v the letengine.3 Serv let engine to perform the request the the Ser vlet and retrieve sentJa, vabean access to the data.4data access the Ja vabean searchable database throughJDBC informationAnd from the search results stored in itself.5Servlet remove search results from the data access Javabean generate Html page and Ht ml of page back to the w eb server.6 the Web server the page is sent back to the browser.(3) The third access model1 A browser issue a retrieval request to the Web server.2 Web server receives the request after the request forwarded to the ofSer v the let engine.Of Ser vlet engine to perform the requested Servlet directlythroughJDBC inspection3 The cable database and search results are stored in the result isstored the Jav abean into.Javabean,4. Ser v the let from the results are stored to remove the search results and JSP files to format the output page.2 Servlet functionality and life cycle2.1Servlet functions(1) Create and return dynamic Web pages based on customer requests.(2) create can be embedded into existing HTML pages as part of HTML Page (HT fragment) of the ML.(3) and other server resources (including databases and applications based on the Jav a Program) to communicate.(4) to handle multiple client connections, receiving the input of more than one client, and The results broadcast to multiple clients. For example, Ser vlet is a multi-participant Game server.(5) of MIM E type filter information on the special handling, such as image Conversion and server-side include (SSI).(6) custom processing available to all servers in the standard routine.2.2Servlet lifecycleServlet life cycle begins with it into the Web server's memory And end in the termination or re-loaded Serv the let.(1) load.Load the servlet at the following times:1. If you have configured automatic load option, and then start the Webserver automatically loaded2.After the start of the Web server, the client Serv the let issued for the first time, pleaseDemand.3.Reload Serv the let.Loaded Servlet, Web servers to create a servlet instance, and Servlet's init () method is called. Servlet initialization parameters in the initialization phase, The number is passed to the Servlet configuration object.(2) terminateWhen the Web server no longer needs the servlet, or reload Servlet A new instance of the server calls Serv the let's destroy () method, remove it from the Memory deleted.3 How to call ServletMethod of Ser vlet is called Total five kinds: call in the URL in the formT ag call, call, in HT the ML page in the JSP files Call, call in an ASP file. The following itemized to be introduced.(1) call the servlet in the URL.Simply input format in the browser as http: ∥yo ur webser ver the same the ser vlet name name / servlet path / servlet the URL to The site canbe. Ofwhich:your webser ver name is to refer to the Servlet where theWeb server name, the servlet path is the path refers to the Servlet, the servletThe name refers to the Servlet real name or an alias.(2) call the Servlet tagsCall of Ser the let the the tag allows users to input data on the Web page, andinput data submitted to the vlet of Ser.Serv the let will be submitted to receive data in different ways.For example: {place the text input area tags, buttons and other logos} (3) in the HTML page to call the servlet.Use mark tags, no need to create a complete HTML page.Instead,the servlet output isonly part of the HTMLpage (HTML fragment) and dynamicallyembedded into the static text in the original HTML page.All this happened on the server andsent to the user only the resulting HTML page. tag contained in the original HTML page.Servlet will be invoked in these two markers and the Ser vlet response will cover these two markersbetween all things and mark itself, for example: 〈SERVLET NAME= “my serv let ”CODE= “my serv let .class”CODEBASE= “u r l”initpar am= “v alue”〉〈PARAM NAME= “parm1”VALU E= “v alue1”〉〈PARAM NAME= “parm2”VALU E= “v alue2”〉〈/SERVLET 〉(4) call the servlet in the JSP files.Call in the JSP file format used by the Servlet and HTML page to call exactly the same.Andthe principles are identical. Only reconcile its dynamic JSP file is not a static HTML page.(5) in an ASP file calls the servlet.If you Micr oso ft I nt ernet Informatio n-Ser ver (II S) on the legacy of the ASP file, and can not be ASP files transplanted into a JSP file, you can use the ASP file to of Ser vlet iscalled.But it must be through a special ActiveX control, an ASP file is only through it can callthe servlet.4 Servlet Howto use ConnectionManager toefficiently manage the database connection (1) the functionality of the Connection Manager.For non-Web applications, Web-based application access tothe database will lead tohigher and unpredictable overhead, which is due to more frequent Web users connect anddisconnect.Normally connected to the resourcesused and disconnect from the databasewill farexceed the resources used in the retrieval.Connection Manager function is to minimize the additional occupancy of the users of the database resources to achieve thebest performance of database access.Connection Manager sharing overhead through the establishmentof the connection poolwill connect users Servlet available to multipleusers request.In other words, each userrequest only the connect/ disconnect with a small portion of the overhead costs.Initialresources to establish the connection of the buffer pool, the rest of the connect/ disconnectoverhead is not big, because this isonly reuse the existing connection.Serv the let in the following manner using the connectionpool: When a user throughRequest Web Serv the let the let Serv use an existing connection from the buffer poolNext, this means that the user requests do not cause the connection to the databasesystem overhead. InAfter the termination of serv the let it connect to return to the pool forits Connection ManagerThe Ser vlet. Thus, the user request does not cause the database is disconnectedOf system overhead.Connection Manager also allows users to be able tocontrol the concurrency of thedatabase products evenThen the number. When the database license agreement limit the number ofusers, this feature isVery useful. Create a buffer pool for the database, and connection managementBuffering pool "maximum number of connections" parameter setto the database product license limitGiven maximum number of users. If you use otherprograms without Connection ManagerconnectionsDatabase, you can not guarantee that the method is effective.(2) the structure of the Connection Manager.(3) Connection Manager connection pool to maintain a connection to a specificdatabase is open. Step 1: When the first Serv the let trying to Connection Manager communications is loaded by the Java Application ServerConnection Manager. As long as the Java application server running the Connection Manager has been loaded. Step 2: The Java application server passes the request to a servlet. Step 3: Servlet Connection Managerrequests a connection from the pool. Step four: the buffer pool to Ser vlet allocated a pool of existing idle connection. Step 5: servlet to use toconnect a direct dialogue with the database, this process is the standard API for a particular database. Step 6: the database through Ser vlet the connection returns data. Step 7: When theServlet end to communicate with the database, servlet connections returned to the connection manager pool for other servlet uses. Step 8: Servlet Jav a application server to the user sends back response.Servlet requests a connection, if the buffer pool, there is no idle connection, then the connection manager directlycommunicate with the database. Connection Manager will: Step 9: to the database requests a new connection. Step 10: Add connections to thebuffer pool. If the buffer pool is connected to the prescribed ceiling, connect to the serverWill not be a new connection to join the buffer pool(3) the performance characteristics of the Connection Manager.Buffer pool to create a new connection is a high overhead tasks, newconnections will use the resources on the database. Therefore, theConnection Manager the best use of existing connections of the buffer pool to meet the request of the Servlet. Meanwhile, the connecting tubeThe processor must be as much as possible to minimize the buffer pool idle connections, because this is a great waste of systemresources. Connection Manager Serv the let with the implementation of these minimize and maximize task. Connection Manager to maintain each connection verification time stamp, and recently used tags and use the logo. When the a Ser vlet first the connection, connection verification time stamp, and most recent time stamp is set to the current time, theconnection is being used flag is set to true.Connection Manager can be removed from a Serv the let a long-unused connections, this length of time specified by the Connection Manager, the longest cycleparameters.Connection Manager can view recently used mark is beingused to connect. If the time between the most recently used time and time difference is greater than the longest cycle configuration parameters, the connection will be considered to be a residual connection, which indicates Serv the let take its discontinued or no response. Residual connection will be returned to the pool for other Ser vlet, it is being used flag is set to false, authentication and time stamp is set to the current time.If Ser vlet is ready within a longer period of time to use the connection with the database several timesCommunications, you must code to the Serv the let, so that each time you use to connectConfirm that it still occupies this connection.Connection Manager can be removed from the buffer pool idle connections, because theyWould be a waste of resources. In order to determine which connection is idle, Connection Manager will checkInvestigation connected the sign and time stamp, this operation isconnected by periodic access toBuffer pool information. Connection Manager checks have not been any Ser vlet makeWith the connections (these connections is to use the logo is false). If you have recently usedBetween time and the current time difference exceeds amaximum idle time configuration parameters, theThat the connection is idle. Idle connection will be removed from the buffer pool, down toMinimum number of connections configuration parameter specifies thelower limit value.翻译：随着Inter net 的普及应用, 各种Web 信息系统的建立已成为一个迫在眉睫的问题。

javaweb英文参考文献以下是关于JavaWeb的英文参考文献的相关参考内容：1. Deepak Vohra. Pro XML Development with Java Technology. Apress, 2006.This book provides a comprehensive guide to XML development with Java technology. It covers topics such as XML basics, XML parsing using Java, XML validation, DOM and SAX APIs, XSLT transformation, XML schema, and SOAP-based web services. The book also includes numerous code examples and case studies to illustrate the concepts.2. Robert J. Brunner. JavaServer Faces: Introduction by Example. Prentice Hall, 2004.This book introduces the JavaServer Faces (JSF) framework, which is a part of the Java EE platform for building web applications. It provides a step-by-step guide to building JSF applications using various components and features such as user interface components, data validation, navigation handling, and backing beans. The book also covers advanced topics such as internationalization and security.3. Brett McLaughlin. Head First Servlets and JSP: Passing the Sun Certified Web Component Developer Exam. O'Reilly Media, 2008. This book is a comprehensive guide to the development of Java web applications using Servlets and JavaServer Pages (JSP). It covers topics such as HTTP protocol, Servlet lifecycle, request andresponse handling, session management, JSP syntax and directives, JSTL and EL expressions, deployment descriptors, and web application security. The book also includes mock exam questions to help readers prepare for the Sun Certified Web Component Developer exam.4. Hans Bergsten. JavaServer Pages, 3rd Edition. O'Reilly Media, 2011.This book provides an in-depth guide to JavaServer Pages (JSP) technology, which is used for creating dynamic web content. It covers topics such as JSP syntax, scriptlets and expressions, JSP standard actions, JSP custom tag libraries, error handling, JSP with databases, JSP and XML, and internationalization. The book also includes examples and best practices for using JSP effectively.5. Marty Hall, Larry Brown. Core Servlets and JavaServer Pages, 2nd Edition. Prentice Hall, 2003.This book is a comprehensive guide to building Java web applications using Servlets and JavaServer Pages (JSP). It covers topics such as Servlet API, HTTP protocol, session management, request and response handling, JSP syntax and directives, JSP custom tag libraries, database connectivity, and security. The book also includes numerous code examples and case studies to demonstrate the concepts.6. Michael Ernest. Java Web Services in a Nutshell. O'Reilly Media, 2003.This book provides a comprehensive reference to Java-based web services technology. It covers topics such as SOAP, WSDL, UDDI, and XML-RPC protocols, as well as Java API for XML-based web services (JAX-WS) and Java API for RESTful web services (JAX-RS). The book also includes examples and best practices for developing and deploying web services using Java technology. Please note that the above references are just a selection of some of the available books on the topic of JavaWeb. There are numerous other resources available that can provide more detailed information on specific aspects of JavaWeb development.。

互联网金融安全中英文对照外文翻译文献中英文对照外文翻译文献(文档含英文原文和中文翻译)Database Security in a Web Environment IntroductionDatabases have been common in government departments and commercial enterprises for many years. Today, databases in any organization are increasingly opened up to a multiplicity of suppliers, customers, partners and employees - an idea that would have been unheard of a few years ago. Numerous applications and their associated data are now accessed by a variety of users requiring different levels of access via manifold devices and channels – often simultaneously. For example:• Online banks allow customers to perform a variety of banking operations - via the Internet and over the telephone – whilst maintaining the privacy of account data.• E-Commerce merchants and their Service Providers must store customer, order and payment data on their merchant server - and keep it secure.• HR departments allow employees to update their personal information –whilst protecting certain management information from unauthorized access.• The medical profession must protect the confidentiality of patient data –whilst allowing essential access for treatment.• Online brokerages need to be able to provide large numbers of simultaneous users with up-to-date and accurate financial information.This complex landscape leads to many new demands upon system security. The global growth of complex web-based infrastructures is driving a need for security solutions that provide mechanisms to segregate environments; perform integrity checking and maintenance; enable strong authentication andnon-repudiation; and provide for confidentiality. In turn, this necessitates comprehensive business and technical risk assessment to identify the threats,vulnerabilities and impacts, and from this define a security policy. This leads to security definitions throughout the infrastructure - operating system, database management system, middleware and network.Financial, personal and medical information systems and some areas of government have strict requirements for security and privacy. Inappropriate disclosure of sensitive information to the wrong parties can have severe social, legal and regulatory consequences. Failure to address the basics can result in substantial direct and consequential financial losses - witness the fraud losses through the compromise of several million credit card numbers in merchants’ databases [Occf], plus associated damage to brand-image and loss of consumer confidence.This article discusses some of the main issues in database and web server security, and also considers important architecture and design issues.A Simple ModelAt the simplest level, a web server system consists of front-end software and back-end databases with interface software linking the two. Normally, the front-end software will consist of server software and the network server operating system, and the back-end database will be a relational orobject-oriented database fulfilling a variety of functions, including recording transactions, maintaining accounts and inventory. The interface software typically consists of Common Gateway Interface (CGI) scripts used to receive information from forms on web sites to perform online searches and to update the database.Depending on the infrastructure, middleware may be present; in addition, security management subsystems (with session and user databases) that address the web server’s and related applications’ requirements for authentication, accesscontrol and authorization may be present. Communications between this subsystem and either the web server, middleware or database are via application program interfaces (APIs)..This simple model is depicted in Figure 1.Security can be provided by the following components:• Web server.• Middleware.• Operating system.. Figure 1: A Simple Model.• Database and Database Management System.• Security management subsystem.The security of such a system addressesAspects of authenticity, integrity and confidentiality and is dependent on the security of the individual components and their interactions. Some of the most common vulnerabilities arise from poor configuration, inadequate change control procedures and poor administration. However, even if these areas are properlyaddressed, vulnerabilities still arise. The appropriate combination of people, technology and processes holds the key to providing the required physical and logical security. Attention should additionally be paid to the security aspects of planning, architecture, design and implementation.In the following sections, we consider some of the main security issues associated with databases, database management systems, operating systems and web servers, as well as important architecture and design issues. Our treatment seeks only to outline the main issues and the interested reader should refer to the references for a more detailed description.Database SecurityDatabase management systems normally run on top of an operating system and provide the security associated with a database. Typical operating system security features include memory and file protection, resource access control and user authentication. Memory protection prevents the memory of one program interfering with that of another and limits access and use of the objects employing techniques such as memory segmentation. The operating system also protects access to other objects (such as instructions, input and output devices, files and passwords) by checking access with reference to access control lists. Security mechanisms in common operating systems vary tremendously and, for those that are lacking, there exists special-purpose security software that can be integrated with the existing environment. However, this can be an expensive, time-consuming task and integration difficulties may also adversely impact application behaviors.Most database management systems consist of a number of modules - including database querying and database and file management - along with authorization, concurrent access and database description tables. Thesemanagement systems also use a variety of languages: a data definition language supports the logical definition of the database; developers use a data manipulation language; and a query language is used by non-specialist end-users.Database management systems have many of the same security requirements as operating systems, but there are significant differences since the former are particularly susceptible to the threat of improper disclosure, modification of information and also denial of service. Some of the most important security requirements for database management systems are: • Multi-Level Access Control.• Confidentiality.• Reliability.• Integrity.• Recovery.These requirements, along with security models, are considered in the following sections.Multi-Level Access ControlIn a multi-application and multi-user environment, administrators, auditors, developers, managers and users – collectively called subjects - need access to database objects, such as tables, fields or records. Access control restricts the operations available to a subject with respect to particular objects and is enforced by the database management system. Mandatory access controls require that each controlled object in the database must be labeled with a security level, whereas discretionary access controls may be applied at the choice of a subject.Access control in database management systems is more complicated than in operating systems since, in the latter, all objects are unrelated whereas in a database the converse is true. Databases are also required to make accessdecisions based on a finer degree of subject and object granularity. In multi-level systems, access control can be enforced by the use of views - filtered subsets of the database - containing the precise information that a subject is authorized to see.A general principle of access control is that a subject with high level security should not be able to write to a lower level object, and this poses a problem for database management systems that must read all database objects and write new objects. One solution to this problem is to use a trusted database management system.ConfidentialitySome databases will inevitably contain what is considered confidential data. For example, it could be inherently sensitive or its source may be sensitive, or it may belong to a sensitive table, thus making it difficult to determine what is actually confidential. Disclosure is also difficult to define, as it can be direct, indirect, involve the disclosure of bounds or even mere existence.An inference problem exists in database management systems whereby users can infer sensitive information from relatively insensitive queries. A trivial example is a request for information about the average salary of an employee and the number of employees turns out to be just one, thus revealing the employee’s salary. However, much more sophisticated statistical inference attacks can also be mounted. This highlights the fact that, although the data itself may be properly controlled, confidential information may still leak out.Controls can take several forms: not divulging sensitive information to unauthorized parties (which depends on the respective subject and object security levels), logging what each user knows or masking response data. The first control can be implemented fairly easily, the second quickly becomesunmanageable for a large number of users and the third leads to imprecise responses, and also exemplifies the trade-off between precision and security. Polyinstantiation refers to multiple instances of a data object existing in the database and it can provide a partial solution to the inference problem whereby different data values are supplied, depending on the security level, in response to the same query. However, this makes consistency management more difficult.Another issue that arises is when the security level of an aggregate amount is different to that of its elements (a problem commonly referred to as aggregation). This can be addressed by defining appropriate access control using views.Reliability, Integrity and RecoveryArguably, the most important requirements for databases are to ensure that the database presents consistent information to queries and can recover from any failures. An important aspect of consistency is that transactions execute atomically; that is, they either execute completely or not at all.Concurrency control addresses the problem of allowing simultaneous programs access to a shared database, while avoiding incorrect behavior or interference. It is normally addressed by a scheduler that uses locking techniques to ensure that the transactions are serial sable and independent. A common technique used in commercial products is two-phase locking (or variations thereof) in which the database management system controls when transactions obtain and release their locks according to whether or not transaction processing has been completed. In a first phase, the database management system collects the necessary data for the update: in a second phase, it updates the database. This means that the database can recover from incomplete transactions by repeatingeither of the appropriate phases. This technique can also be used in a distributed database system using a distributed scheduler arrangement.System failures can arise from the operating system and may result in corrupted storage. The main copy of the database is used for recovery from failures and communicates with a cached version that is used as the working version. In association with the logs, this allows the database to recover to a very specific point in the event of a system failure, either by removing the effects of incomplete transactions or applying the effects of completed transactions. Instead of having to recover the entire database after a failure, recovery can be made more efficient by the use of check pointing. It is used during normal operations to write additional updated information - such as logs, before-images of incomplete transactions, after-images of completed transactions - to the main database which reduces the amount of work needed for recovery. Recovery from failures in distributed systems is more complicated, since a single logical action is executed at different physical sites and the prospect of partial failure arises.Logical integrity, at field level and for the entire database, is addressed by the use of monitors to check important items such as input ranges, states and transitions. Error-correcting and error-detecting codes are also used.Security ModelsVarious security models exist that address different aspects of security in operating systems and database management systems. For example, theBell-LaPadula model defines security in terms of mandatory access control and addresses confidentiality only. The Bell LaPadula models, and other models including the Biba model for integrity, are described more fully in [Cast95] and [Pfle89]. These models are implementation-independent and provide a powerfulinsight into the properties of secure systems, lead to design policies and principles, and some form the basis for security evaluation criteria.Web Server SecurityWeb servers are now one of the most common interfaces between users and back-end databases, and as such, their security becomes increasingly important. Exploitation of vulnerabilities in the web server can lead to unforeseen attacks on middleware and backend databases, bypassing any controls that may be in place. In this section, we focus on common web server vulnerabilities and how the authentication requirements of web servers and databases are met.In general, a web server platform should not be shared with other applications and should be the only machine allowed to access the database. Using a firewall can provide additional security - either between the web server and users or between the web server and back-end database - and often the web server is placed on a de-militarized zone (DMZ) of a firewall. While firewalls can be used to block certain incoming connections, they must allow HTTP (and HTTPS) connections through to the web server, and so attacks can still be launched via the ports associated with these connections.VulnerabilitiesVulnerabilities appear on a weekly basis and, here, we prefer to focus on some general issues rather than specific attacks. Common web server vulnerabilities include:• No policy exists.• The default configuration is on.• Reusable passwords appear in clear.• Unnecessary ports available for network services are not disabled.• New security holes are not tracked. Even if they are, well-known vulnerabilities are not always fixed as the source code patches are not applied by system administrator and old programs are not re-compiled or removed.• Security tools are not used to scan the network for weaknesses and changes or to detect intrusions.• Faulty and buggy software - for example, buffer overflow and stack smashingAttacks• Automatic directory listings - this is of particular concern for the interface software directories.• Server root files are generally visible or accessible.• Lack of logs and bac kups.• File access is often not explicitly configured by the system administrator according to the security policy. This applies to configuration, client, administration and log files, administration programs, and CGI program sources and executables. CGI scripts allow dynamic web pages and make program development (in, for example, Perl) easy and rapid. However, their successful exploitation may allow execution of malicious programs, launching ofdenial-of-service attacks and, ultimately, privilege escalation on a server.Web Server and Database AuthenticationWhile user, browser and web server authentication are relatively well understood [Garf97], [Ghos98] and [Tree98], the introduction of additional components, such as databases and middleware, raise a number of authentication issues. There are a variety of options for authentication in a simple model (Figure 1). Firstly, both the web server and database management system can individually authenticate a user. This option requires the user to authenticatetwice which may be unacceptable in certain applications, although a singlesign-on device (which aims to manage authentication in a user-transparent way) may help. Secondly, a common approach is for the database to automatically grant user access based on web server authentication. However, this option should only be used for accessing publicly available information. Finally, the database may grant user access employing the web server authentication credentials as a basis for its own user authentication, using security management subsystems (Figure 1). We consider this last option in more detail.Web-based communications use the stateless HTTP protocol with the implication that state, and hence authentication, is not preserved when browsing successive web pages. Cookies, or files placed on user’s machine by a web server, were developed as a means of addressing this issue and are often used to provide authentication. However, after initial authentication, there is typically no re authentication per page in the same realm, only the use of unencrypted cookies (sometimes in association with IP addresses). This approach provides limited security as both cookies and IP addresses can be tampered with or spoofed.A stronger authentication method, commonly used by commercial implementations, uses digitally signed cookies. This allows additional systems, such as databases, to use digitally signed cookie data, including a session ID, as a basis for authentication. When a user has been authenticated by a web server (using a password, for example), a session ID is assigned and is stored in a security management subsystem database. When a user subsequently requests information from a database, the database receives a copy of the session ID, the security management subsystem checks this session ID against its local copy and, if authentication is successful, user access is granted to the database.The session ID is typically transmitted in the clear between the web server and database, but may be protected by SSL or even by physical security measures. The communications between the browser and web servers, and the web servers and security management subsystem (and its databases), are normally protected by SSL and use a web server security API that is used to digitally sign and verify browser cookies. The communications between the back-end databases and security management subsystem (and its databases) are also normally protected by SSL and use a database security API that verifies session Ids originating from the database and provides additional user authorization credentials. The web server security API is generally proprietary while, for the database security API, many vendors have adopted standards such as the Generic Security Services API (GSS-API) or CORBA [RFC2078] and [Corba].Architecture and DesignSecurity requirements for designing, building and implementing databases are important so that the systems, as part of the overall infrastructure, meet their requirements in actual operation. The various security models provide an important insight into the design requirements for databases and their management systems.Secure Database Management System ArchitecturesIn multi-level database management systems, a variety of architectures are possible: trusted subject, integrity locked, kernels and replicated. Trusted subject is used by most of the leading database management system vendors and can be integrated in existing products. Basically, the trusted subject architecture allows users to access a database via an un trusted front-end, a trusted database management system and trusted operating system. The operating systemprovides physical access to the database and the database management system provides multilevel object protection.The other architectures - integrity locked, kernels and replicated - all vary in detail, but they use a trusted front-end and an un trusted database management system. For details of these architectures and research prototypes, the reader is referred to [Cast95]. Different architectures are suited to different environments: for example, the trusted subject architecture is less integrated with the underlying operating system and is best suited when a trusted path can be assured between applications and the database management system.Secure Database Management System DesignAs discussed above, there are several fundamental differences between operating system and database management system design, including object granularity, multiple data types, data correlations and multi-level transactions. Other differences include the fact that database management systems include both physical and logical objects and that the database lifecycle is normally longer.These differences must be reflected in the design requirements which include:• Access, flow and infer ence controls.• Access granularity and modes.• Dynamic authorization.• Multi-level protection.• Polyinstantiation.• Auditing.• Performance.These requirements should be considered alongside basic information integrity principles, such as:• Well-formed transactions - to ensure that transactions are correct and consistent.• Continuity of operation - to ensure that data can be properly recovered, depending on the extent of a disaster.• Authorization and role management – to ensure that distinct roles are defined and users are authorized.• Authenticated users - to ensure that users are authenticated.• Least privilege - to ensure that users have the minimal privilege necessary to perform their tasks.• Separation of duties - to ensure that no single individual has access to critical data.• Delegation of authority - to ensure that the database management system policies are flexible enough to meet the organization’s requirements.Of course, some of these requirements and principles are not met by the database management system, but by the operating system and also by organizational and procedural measures.Database Design MethodologyVarious approaches to design exist, but most contain the same main stages. The principle aim of a design methodology is to provide a robust, verifiable design process and also to separate policies from how policies are actually implemented. An important requirement during any design process is that different design aspects can be merged and this equally applies to security.A preliminary analysis should be conducted that addresses the system risks, environment, existing products and performance. Requirements should then beanalyzed with respect to the results of a risk assessment. Security policies should be developed that include specification of granularity, privileges and authority.These policies and requirements form the input to the conceptual design that concentrates on subjects, objects and access modes without considering implementation details. Its purpose is to express information and process flows in a complete and consistent way.The logical design takes into account the operating system and database management system that will be used and which of the security requirements can be provided by which mechanisms. The physical design considers the actual physical realization of the logical design and, indeed, may result in a revision of the conceptual and logical phases due to physical constraints.Security AssuranceOnce a product has been developed, its security assurance can be assessed by a number of methods including formal verification, validation, penetration testing and certification. For example, if a database is to be certified as TCSEC Class B1, then it must implement the Bell-LaPadula mandatory access control model in which each controlled object in the database must be labeled with a security level.Most of these methods can be costly and lengthy to perform and are typically specific to particular hardware and software configurations. However, the international Common Criteria certification scheme provides the added benefit of a mutual recognition arrangement, thus avoiding the prospect of multiple certifications in different countries.ConclusionThis article has considered some of the security principles that are associated with databases and how these apply in a web based environment. Ithas also focused on important architecture and design principles. These principles have focused mainly on the prevention, assurance and recovery aspects, but other aspects, such as detection, are equally important in formulating a total information protection strategy. For example, host-based intrusion detection systems as well as a robust and tested set of business recovery procedures should be considered.Any fit-for-purpose, secure e-business infrastructure should address all the above aspects: prevention, assurance, detection and recovery. Certain industries are now starting to specify their own set of global, secure e-business requirements. International card payment associations have recently started to require minimum information security standards from electronic commerce merchants handling credit card data, to help manage fraud losses and associated impacts such as brand-image damage and loss of consumer confidence.网络环境下的数据库安全简介数据库在政府部门和商业机构得到普遍应用已经很多年了。

计算机 JSP web 外文翻译外文文献12.1 nEffective web n design involves separating business objects。

n。

and object XXX。

Although one individual may handle both roles on a small-scale project。

it is XXX.12.2 JSP ArchitectureIn this chapter。

XXX using JavaServer Pages。

servlets。

XXX of different architectures。

each building upon the us one。

The diagram below outlines this process。

and we will explain each component in detail later in this article.Note: XXX.)When Java Server Pages were introduced by Sun。

some people XXX。

While JSP is a key component of the J2EE n and serves as the preferred request handler and response mechanism。

it is XXX.XXX JSP。

the XXX that JSP is built on top of the servlet API and uses servlet XXX interesting ns。

such as whether we should XXX in our Web-enabled systems。

and if there is a way to combine servlets and JSPs。

网络安全论文参考文献1. Kim, H., Park, S., Han, K., Park, K., & Kim, J. (2016). A survey of Internet of Things security technologies. Future Generation Computer Systems, 56, 684-700.2. Wang, Q., Zhang, M., Zhu, H., & Wan, W. (2017). A survey on security and privacy issues in big data. IEEE Access, 4, 2751-2765.3. Zhang, Y., Yu, C., & Zheng, F. (2017). A comprehensive survey on secure outsourcing of computation in cloud computing. Tsinghua Science and Technology, 22(5), 479-492.4. Li, Y., Yu, S., Zhang, H., & Li, H. (2020). Towards secure on-demand data retrieval in fog computing. Future Generation Computer Systems, 103, 492-501.5. Zhou, F., & Fang, X. (2017). Survey on security and privacy in online social networks. ACM Computing Surveys (CSUR), 49(3), 1-37.6. Yuan, X., & Yu, S. (2017). Enabling secure and efficient cloud data deduplication with dynamic ownership management. IEEE Transactions on Cloud Computing, 5(2), 229-241.7. Zhu, Y., & Guo, F. (2017). Security and privacy in cyber-physical systems: a survey. IEEE Internet of Things Journal, 4(5), 1250-1268.8. Chen, R., Liu, X., & Zhang, H. (2018). Privacy-preserving and secure IoT data outsourcing: A survey. IEEE Internet of Things Journal, 5(1), 101-115.9. Zhan, J., Song, D., Song, H., Yan, Z., & Yang, Y. (2018). A survey on security and trust of blockchain technology. Future Generation Computer Systems, 82, 134-149.10. Díaz-Verdejo, J., Ortega-Mier, M., López-Guil, J., & Blasco, J. (2019). A systematic review of machine learning techniques for malware detection. Computers & Security, 80, 597-611.。