软件应用中英文对照外文翻译文献

软件应用中英文对照外文翻译文献PAGEPAGEI软件应用中英文对照外文翻译文献(文档含英文原文和中文翻译)原文：TheDesignandImplementationofSingleSign-onBasedonHybridArchitectureAbstract—ForthepurposeofsolvingtheproblemsofuserrepeatedlogonfromvariouskindsofApplicationwhichbasedonhybridarchitectureandindifferentdomains,singlesign-onarchitectureisproposed.Onthebasisofanalyzingtheadvantagesanddisadvantagesofexistingsinglesign-onmodels,combinedwiththekeytechnologylikeWebService,Appletandreverseproxy,twocoreproblemssuchassinglesign-onarchitecturemixB/SandC/Sstructureapplicationsandcross-domainsinglesign-onareresolved.Meanwhile,thesecurityandperformanceofthisarchitecturearewellprotectedsincethereverseproxyandrelatedencryptiontechnologyareadopted.Theresultsshowthatthisarchitectureishighperformanceanditiswidelyapplicable,anditwillbeappliedtopracticalapplicationsoon.IndexTerms—singlesign-on,webservice,crossdomain,reverseproxy,B/S,C/SINTRODUCTIONWiththeinformationsociety,peopleenjoytheprogressinthehugeinterests,butatthesametimealsofacedthetestofinformationsecurity.Withallsystemusersneedtologinthesystemincreased,usersneedtosetalotofusernamesandpasswords,whichareconfusedeasily,soitwillincreasethepossibilityoferror.Butmostusersusethesameusernameandpassword,thismakestheauthenticationinformationisillegallyinterceptedanddestroyedthepossibilityofincreased,andsecuritywillbereducedaccordingly.Formanagers,themoresystemsneedmorecorrespondinguserdatabasesanddatabaseprivileges,thesewillincreasemanagementcomplexity.Singlesign-onsystemisproposedasolutiontosolvetheproblem.Usingsinglesign-on,wecanestablishaunifiedidentityauthenticationsystemandaunifiedrightsmanagementsystem.Itnotonlyimprovesystemefficiencyandsafety,butalsocanuseuser-friendlyandtoreducetheburdenonadministrators.TABLE1Thecomparisonofavarietyofsinglesign-ontoachievemodelsSSOAchieve-ActionabilityManageabilityModelBrokerModelThelargeEnablecentralizedtransformationofthemanagementoldsystemAgentModelNeedtoaddanewManagementmoreagentforeachofthedifficulttocontrololdsystem,transplantationisAgentandrelativelysimpleTransplantationEnablecentralizedBrokerModelsimple,managementtransformationoftheoldsystemwithlimitedcapacityGatewayModelNeedtouseaEasytomanage,butdedicatedgatewaytodatabasesbetweentheaccessvariousdifferentgatewaysneedapplicationstobesynchronizedTokenModelImplementationofNeedtoaddnewrelativelysimplecomponentsandincreasethemanagementburdenSinglesign-onreferstowhentheuserneedstoaccessadistributedenvironmentwhichhasdifferentapplicationstoprovidetheservice,onlysignononceintheenvironment,noneedfortheusertore-signonthevariousapplicationsystems[1].NowtherearemanyproductsandsolutionstoimplementSSO,suchasPassportofMicrosoft,IBMWebSpherePortalServeralthoughtheseSSOproductscoulddowellinthefunctionofsinglesign-on,butmostofthemarecomplexandinflexible.Currently,thetypicalmodelstoachieveSSOincludebrokermodel,agentmodel,agentandbrokermodel,gatewaymodelandtokenmodel[2].Intable1,itanalysesthesemodelscanbeimplementedandmanageability.Basedontheabovecomparison,agentandbrokermodelhastheadvantagesbothcentralizedmanagementandrevisedlessoriginalapplicationserviceprocedure.SoIdecidetoadoptagentandbrokermodelasthebasisforthismodel.InordertointegrateinformationandapplicationswellandwiththeB/Smodein-depthapplicationsoftware,therehasbeentheconceptofenterpriseportal,offerabestwaytosolvethisproblem.Enterpriseportalprovidesbusinessusersaccessinformationandapplications,andcompleteorassistinavarietyofinteractivebehaviorofasingleintegratedaccesspoint.Theappropriatesystemsoftwareportalprovidesadevelopment,deploymentandmanagementofportalapplicationsservices.Enterpriseinformationportalconcernsportal,contentmanagement,dataintegration,singlesign-on,andmuchothercontent.SYSTEMCONSTRUCTIONWHICHREGISTERSBASEDONTHEWEBSERVICEMIXCONSTRUCTIONSINGLESIGN-ONThesystemconsistsofmultipletrustdomains.EachtrustdomainhasmuchB/Sarchitectureoftheapplicationservers;inadditiontoB/SarchitectureoftheapplicationserversalsoincludedC/Sarchitectureapplicationservers.Alltheapplicationsareboundtogetherthroughaunifiedportaltoachievefunctionalityofsinglesign-on.Youcanseethatthisarchitectureisbasedontheagentandthebrokermodel.Aunifiedagentportalisplayingabrokerrole,andvariousapplicationsareplayinganagentrole.TheB/SarchitectureapplicationsareinstalledontheClientsideofSSOAgent,andtheunifiedportalisinstalledontheServersideofSSOAgent.BetweenthemisthroughthesetwoAgentstointeract.Inaddition,inFig1,theexternalprovisionofauthenticationserverisLDAPauthenticationinterface.TokenauthenticationWebServiceserverprovidestheinterfacesofsinglesign-ontokenoftheadditions,deletions,editionsandqueries.ButthepermissionWebServiceserverprovidestheappropriateauthorityinformationsystem,toachieveunifiedmanagementauthorityforaccessingunifiedportalapplicationsystem.Thesystemsupportscross-domainaccess,thatis,thedomainD1userscanaccesstheapplicationdomainD2,andthedomainD2userscanaccesstheapplicationdomainD1.Atthesametime,thesystemalsosupportstheapplicationofdifferentstructuresbetweenthesinglesign-on,thatis,userafteraccessingtheapplicationAoftheB/SstructureaccesstheapplicationEofC/Sstructurewithouthavingtorepeatedlyenterusernameandpassword,oruseraccesstheapplicationAaftertheapplicationEwithoutre-enterlogininformation.ThewholestructureofSingleSign-onisasFig1shown.Figure1:TheStructureofSingleSign-onA. TheloginprocessThewholesinglesign-onprocessisasFig2shown:Belowistheprocessspecificstepsdescription:1）UserloginintheclientbrowsertoaccessAapplication,SSOClientofAsysteminterceptandredirecttheURLtothelandingpageofUnifiedPortalSystem2）Entertheusernameandpassword,UnifiedPortalSystemsubmitstotheauthenticationserverforauthentication.Iftheinformationiscorrect,UnifiedPortalSystemautomaticallygenerates,savesnotesandtheroleoftheuserIDtoalocal,andcallstheincreate-noteinterfaceofWebServicetoinserttheinformation.3）UnifiedPortalSystemreturnsalistofapplicationresourcespagestotheuser.Theuserclicksanyoneapplicationsystem(e.g.Asystem).TheSSOClient-sideofAapplicationsystemreadthenotesinformationandcallthequery-notesinterfaceofWebService.Ifitisconsistentandwithinthetimelimit,itwillgettheroleinformationoftheuserinAapplicationsystemandloginAapplicationsystem.Atthesametime,itwillcalltheupdate-noteinterfaceofNoteCertificationWebServicetoupdatethelog-intimeofthiscurrentnote.ThencalltheinterfaceofuserrightsWebServicetogetthisuser’spermissioninformationwithcorrespondingapplicationsystem.4）IfuserendtoaccessAapplicationsystem,exitandclickonthelinkofBapplicationsystem,systemimplementationswillbeareasthesameassteps(3).5）Ifusercompletealltherequiredaccess-applicationsandneedtodothelog-offoperation,itwillmainlycallthedeletion-noteinterfacetodestroythecorrespondingnoteinformation.Figure2:ThewholeprocessofSingleSign-on B. ThesolutionofCross-domainproblemsInthetraditionalimplementationofsinglesign-onsystemwillbegenerallyusedcookieasstorageofclient-sidenotes,butbecauseofrestrictionsoncookieitselfpropertiesmakeitonlyonthehostunderthesamedomaineffective,anddistributedapplicationsystemalwayscannotguaranteethatallhostsunderthesamedomain.Thecurrentsystemdoesnotstorethenoteinformationintheclient-sidebutplacedvariousapplicationparametersofthelinkdirectly.Thenote-verificationisthroughtheapplicationoftheSSOClient-sidecalltothecorrespondinginterfaceofWebServicetocomplete.ThroughtheSimpleObjectAccessProtocol(SOAP)toprovidesoftwareserviceintheWeb,useWSDLfiletoilluminateandregisterbyUDDI[3].ShowninFig3,aftertheuserthroughtheapplicationofUDDItofindaWSDLdescriptionofthedocument,hecancalltheapplicationwhichthroughSOAPtoprovidebyoneormoreoperationsofWebservices.ThebiggestcharacteristicofWebServiceisitscross-platform,whetheritistheapplicationofB/SstructureorC/Sstructure,whetheritistheapplicationusingJ2EEor.NETtoimplement,itcanaccessWebServiceaslongastogiveWebServiceserver'sI:Pandinterfacename.Thefollowingisthissystemprocessofachievingcross-domainaccess:1）UserloginUnifiedPortalsystemsuccessfully.2）UseraccessesAapplicationsystemwithinthetrusteddomainD1,completetheaccessandthenexitthisapplication.3）UserclickstheURLofBapplicationsystemwithintrusteddomainD2oftheresourceslistofUnifiedPortal.4）SSOClientofBapplicationinterceptstherequest,getsthenotebehindURL,andcallsthequery-noteinterfaceofWebService.5）QueryinterfaceofWebServicegetsbackthelegalinformationofthisnotetotheSSOClient.6）SSOClientredirecttoBapplicationsystem,theuseraccessBapplication.Figure3:WebServiceStructureC.TheSolutionofSingleSign-onbetweenB/SandC/SStructuresAsweknow,theimplementationprinciplesofapplicationsarequitedifferentbetweenB/SandC/Sstructures.Inthissystem,theapplicationsofB/SstructurecanbeaccessedthroughbyclickingURLoftheapplication-resources-listpageofUnifiedPortal.Sincethebrowsersecurityrestrictions,thepagedoesnotallowuserstodirectlycallthelocalexefiles,soneedtoadoptanindirectwaytocallC/Sarchitectureapplications.ThisarticleusesthewayofApplettocalllocalexefiles,theimplementationsasbelow:ForallC/Sstructures,createacommonAgent.ThisAgent'sroleisaninterceptor,whichmeansitneedbrowserstoaccessaftertheC/SstructurejoinedupUnifiedPortalsystem.(Pleasenotethat:SincetheoriginalB/SarchitectureandC/Sstructureisnotusingthesameauthenticationmethod.FortheC/Sapplicationaccesstotheunifiedportalframeworktoachievesinglesign-onsystem,theneedforaunifiedauthenticationmanagement,andinordertochangetheamountofcompressiontoaminimum.Implementationofthissystemistocreateaneedlessusernameandpasswordauthenticationcodeforallapplicationswhichareaccessedaunifiedportal,andlandontheunifiedportalsystemcertifiedlandingpage.Whenauserusesbrowsertologintotheunifiedportalsystemsuccessfullyandthencanaccessanyapplication,includingtheB/SarchitectureandC/Sstructureoftheapplication.TobeensurethesecurityofC/Sapplicationframework,whentheuserclicksdirectlytothedesktopshortcuttoopenapplicationsstillusingtheoriginalauthentication.)ApplicationsofC/SarchitectureareallusingthesameAppletofURL.ThereceivedparametersofthiscommonAppletincludebills,applicationname,unifiedlogin-nameandpassword.Whenauserdoesnotdotheloginoperationbefore,thefirstvisitaC/SapplicationwillbeinterceptedtotheloginofUnifiedPortalsystemforsign-on.Ifauserloggedinbefore,whenvisitingaC/Sapplication,thisAgentwillcalltheinterfaceofWebServicenote-validationtovalidatethenotewhichwastransferred.Ifthevalidationissuccessful,Appletobjectwillbedownloadedtotheuser'slocaltoimplement.Inordertotransformtheoriginalapplicationsaslittleaspossible,themethodofthisarticleistoopentheloginwindowofthecorrespondingapplicationthroughbyApplet.Belowarethecodes:publicvoidOpenExe(StringappName){Runtimern=Runtime.getRuntime();Processp=null;p=rn.exec(“c:\.”+appName+“.exe”);}Afteropeningthelog-inwindowoftheapplication,theoperationstepsofthisAppletasfollows:1）AppletneedstocallthebottomAPIofwindowstogettheuser-nameofloginwindow,password-inputboxandthehandleofloginbuttonthroughbyJNI.2）Locatetheuser-name-inputboxtosendunifiedloginname.Locatepassword-inputboxtosendthepassword.(Passwordinformationisarbitraryandinordertodistinguishitfromtheuserclicksonashortcutdirectlylandingsystem,alsoneedtosendacodethatusesaunifiedportalaccesswithoutapasswordauthenticationsystem.)Locatetheloginbuttontosendtheclickevent.3）Atlast,AppletwillminimizetheIEwindow,therelatedwindowsofapplicationswillbeplacedtotheforefront.ThesearetheimplementationprocessofC/Sarchitectureapplicationsinglesign-on.TheapplicationcodeswhichhavenotbeenchangedatallbeforewilljoinuptheUnifiedPortalsystemusingalooselycoupledway.Needtoexplainthat,duetotheAppletJVMsecurityrestrictions,causeAppletcannotdirectlycalltheuser'sSystem32directoryoflocalnativewindowsdll.NowthemethodisfirsttostarttouseCorC++towritetheclasswhichgotthecorrespondinginputboxandbuttonoftheloginwindow,andgenerateaJNIWindowUtil.dllfile(JNIWindowUtilisauser-defineddll'sname).AnditistoplacethedllinthesamedirectorywiththeApplet.WhentheAppletisdownloadedtotheclientside,dllisalsodownloadedtotheuser'sSystem32directoryoflocalatthesametime.Appletprocessalsoneedstoexecutestatement:System.loadLibrary("JNIWindowUtil").Aftercompletingtheseabovesteps,itcanreallyuseJNIinAppletinternaltoachievethecorrespondingfunctions.D. AuthenticationserverTheoldsystemuserauthenticationinformationisusuallystoredinadatabase,butthisarchitectureusedLDAPtostoreuserinformation.LDAP,shortforLightweightDirectoryAccessProtocol,isthestandarddirectoryaccessprotocolbasedonasimplifiedform.Italsodefinesthewaydataorganization;itisbasedonTCP/IPprotocolofthedefactostandarddirectoryservice,andhasdistributedinformationaccessanddatamanipulationfunctions.LDAPusesdistributeddirectoryinformationtreestructure.Itcanorganizeandmanagevarioususers’informationeffectivelyandprovidesafeandefficientdirectoryaccess.Comparedwiththedatabase,LDAPistheapplicationforreadingoperationmorethanwritingoperation,anddatabaseisknowntosupportalargenumberofwritingoperations.LDAPsupportsarelativelysimpletransaction,butthedatabaseisdesignedtohandlealargenumberofvarioustransactions.WhenthequeryinCross-domaindataismainlyreaddata,modifythefrequencyisverylow.WhenCross-domainaccesstothetransaction,itdoesnotrequirealargeload,soincomparisonwiththedatabase,LDAPistheidealchoice.Itismoreeffectiveandsimple.Thisframeworkisappliedtoalargebank,thebank'ssystemscanbelongtodifferentregions,anduseofpersonnelmaycomefromdifferentgeographies.Inordertoachievedistributedmanagement,theuseofthree-levelmanagement,respectivelynamedtheBankheadquarter,ProvincialandCitybranchesofthethreelevelsofbranches,asshowninFig4:Figure4:LDAPAuthenticationStructureDirectoryreplicationanddirectoryreferenceisthemostimportanttechnologyinLDAPprotocol.Itcanbeseenfromthefigure,ProvincialandCitybranchesoftheLDAPserverbranchdataarecopiedfromthefloor,butnotasimplecopyofallinformation,justcopytherelevantdatawiththeirowninformation.Becauseforaparticularapplicationsystem,itsusersaremostlybelongtothesameregion,sothatimplementationcangreatlysimplifythemanagementofdirectoryservicesandtoimprovetheefficiencyofinformationretrievalWhenauseroutsidetheregiontousethissystem,becauseofitsuserinformationintheregioncannotretrieveLDAPserver,youneedtootherregionsoftheLDAPservertoquery,andthereforerequiresawaytouseupthereferencequeries,firstProvincialbranchesoftheserversearch,withoutfurtherreferencetoBankheadquarteroftheserverupuntilthesearchtotheappropriateuserinformation.ThemanagementoftheregionalCitybranch,usingtheLDAPdirectoryreplicationmodelofSingleMaster/MultiSlave.Whenadirectoryuserqueriesthedirectoryinformation,MasterLDAPServerandSlaveLDAPServer(Slaveservercanhavemorethanone)canprovideservicestothedirectory,dependingonthedirectoryusermakesarequesttowhichthedirectoryserver.Whentheuserrequeststhedirectoryupdatedirectoryinformation,inordertoensuretheMasterLDAPServerandSlaveLDAPServerinthesamedirectoryinformationcontent,theneedforreplicationofdirectoryinformation,thisisachievedthroughtheLDAPReplicaserverdatasynchronization.Usingdirectoryreplication,whenthedirectorynumberofusersincreasesortheneedtoimprovesystemperformance,onlysimplyaddSlaveLDAPservertothesystemandthencanimmediatelyeffectiveinimprovingsystemperformance,andthewholedirectoryservicesystemcanhaveagoodloadbalancing.E.PermissionsWebServerAccessControltechnologybeganinthecomputerageofprovidingshareddata.Previously,thewaypeopleusecomputersismainlytosubmittherun-codewrittenbyuserorruntheuserprofiledata.Usersdonothavemuchdatasharing,anddonotexisttocontrolaccesstodata.Whencomputercomesintouser'sshareddata,thesubjectofaccesscontrolisnaturetoputonthedesktop.Currently,thewidelyusedaccesscontrolmodelsisusingorreferencetotheearlyninetiesoflastcenturytheriseofrole-basedaccesscontrolmodel(Role-BasedAccessControl-RBAC).RBACmodel'ssuccessisthatitisinsertedthe"role"conceptbetweenthesubjectandobject,decoupleseffectivelybetweensubjectandthecorrespondingobject(permission),andwelladaptstothesubjectandobjectassociatedwiththeinstability.RBACmodelincludesfourbasicelements,namelytheuser(User-U),roles(Roles-R),session(Session-S)andpermission(Permission-P),alsointhederivedmodelalsoincludesconstraints(Constrains-C).Thebasicideaistoassignaccessrightstoroles,andthentherolesareassignedtousers.Inonesession,userscangaintheaccessrightsthroughroles.Therelationshipbetweentheelements:ausercanhavemultipleroles,arolecanbegrantedtomultipleusers;arolecanhavemultiplepermissions,apermissioncanbegrantedmultipleroles;usercanhavemultipleconversations,butaconversationisonlytobindauser;aconversationcanhavemultipleroles,arolecansharetomultipleconversationsatthesametime;Constraintsarethatactonspecificconstraintsontheserelationships.AsshowninFig5:Thissystemistousethisverysophisticatedpermissionaccesscontrolmodel.Rightsmanagement,notonlyprotectsthesafetyofsystem,butalsofacilitatesmanagement.Currentlymostusingthemannerofcodereuseanddatabasestructurereuse,rightsmanagementmoduleisintegratedintobusinesssystems.Suchaframeworkhasthefollowingshortcomings.1)Oncethepermissionssystemhasbeenmodified,themaintenancecostswillbeveryhigh.Thisisthegeneralshortcomingofusingcodereuseanddatabasestructurereuse.Oncerevised,wewillhavetoupdatethecodeinallbusinesssystemanddatabasestructure,andalsotoensurethatexistingdatacansmooththetransition.Someprocessesmayrequiremanualintervention,whichisa"painful"thingforthedevelopersandmaintenancepersonnel.2)DidnotfacilitatemanagementofPermissiondata.Needtoenterpermissionmanagementmoduleofvariousbusinesssystemstomanagethecorrespondingrights.Itiscomplexoperation,andnotintuitive.3)Fordifferentarchitectures,differentsoftwareoperatingenvironment,wemustdevelopandmaintaindifferentpermissionssystem.Forexample,B/SandC/Sarchitecturesystemmusteachdeveloptheirownrightsmanagementsystem.Thispaperarguesthatmostcommonfunctionofthepermissionsystemcanabstractedfrombusinesssystemstoformanindependentsystem-"unifiedrightssystem".Businesssystemonlyretainstherightsinquiries,readcommondatasystemandthecontrolrightsfunctionofthissystemspecificfinedegree(suchasmenus,buttons,linksandsoon).AsshownFig1.Howtoachieveaunifiedrightsmanagement?Thispaperarguesthattherearetwoimplementations,onewayistouseWebservicestoproviderightsdata;theotherisusingMobileAgenttoprovidedpermissionsdata.However,thesecondonerun,maintenancecostsarehigher,andimplementismoredifficultythanWebservices.SothisarchitectureusingWebservicestoprovideauthoritydataofthevarioussystemsinaunifiedway.BusinesssystemusingWebservicesclientinterfacetoquerydataandobtainsystemprivilegestosharedata.Theclientisjustaport,andspecificimplementationcodeisplacedin"unifiedrightssystem".Theseclientinterfacesintroducedtothebusinesssystembypackage.Ifwekeeptheclientinterfacesunchanged,modifyandupgradeoftheunifiedauthoritysystemwillnotaffectthebusinesssystem.UsersandpermissionsthroughWebpagesof"unifiedrightssystem"tounifymanagementandtoachievetheuser'ssinglesign-on.ThebiggestadvantageofWebservicesistheintegrationofdatabetweenheterogeneoussystems.ThisbreakstherestrictionsofB/S,C/Sstructure;thereisnodifferencebetweenWindowsandLinuxplatform.SYSTEMSECURITYANALYSIS1)Theinterceptionofusernameandpassword.ThesystemforauthenticationoftheuserloginandsendtheusernameandpasswordtoAppletobjectsareusedSSLprotocol.Andmakesurethatinformationduringtransmissionconfidentialityandintegrity.Meanwhile,duetothekeywhichishardtogetandtimelimited,soitcaneffectivelypreventthatintermediaryattacktothetransmissionofinformation.2)Replayattack.Manysystemswillusethewaysoftimestamptoavoidduplicationattacks.However,thisapproachrequiresthecomputerclocksofcommunicationpartiestobesynchronization.Butitisdifficulttoachieve,whilealsoappearsthefollowingsituation:thetwosides’clockswhichareconnectingwitheachother,iftheyareoutofsynchronizationoccasionally,thecorrectinformationmaybemistakentodiscardforreplayinformation,buttheincorrectreplayinformationmaybeasthelatestonetoreceive.Baseontheabove,thissystemneedsasimplemethodFofanappointmentbetweenqueryinterfacesofWebServiceprovidedandSSOClientofeachapplicationsystemorAgent.Thissystem’sparametervalueisarandomstringX.ThewholeprocessofbillvalidationasshowninFig6:a)WhentheuseraccessestoapplicationsystemA,theSSOClientofsystemAinterceptandcallthequeryinterfaceofWebServiceprovided,andtheinputparametersarearandomstringXandthecorrespondingnote.b)WebServiceserverreceivessystemA’scall,interceptsnotetocomparewiththenote’sinformationofSessionqueue.Ifthequeuecontainsthenote,itwillreturnthevalueofF(X)forshowingvalidationissuccessful.Ifnot,itwillreturn‘failed’forshowingvalidationisfailed.c)SSOClientoftheapplicationAreceivesthereturninformationofWebServiceserver,andthencomparesthereturnvaluewithF(X)ofthissystem.Ifthetwoarethesame,itwillredirecttosystemA,otherwiseitwillnotbeallowedtovisit.Therandomstringisdifferent,whicheachinteractwithWebServiceserver.Soyoucanlimitreplayattacksverywell.Usereverseproxytechnology.Reverseproxytechnologyisasubstitute,whichisareverseproxyserverastoNidenticalapplicationservers.Whenexternalaccesstothisapplication,itjustknowsthereverseproxyserverandcannotseethebackmultipleapplicationservers.Thisimprovesthesecurityofthisapplicationsystem.Throughtheaboveanalysis,thissystemcanprovideuserswithagoodsafetyWebenvironment.SYSTEMPERFORMANCEANALYZESFirst,thissysteminadditiontouseSSLencryptioninthetransmissionofusernameandpassword,theinteractionsofbetweenotherserversandbetweenuserandserversarebasedonHTTPprotocoltotransmit.SSLencryptionanddecryptionprocessrequiresalotofsystemcost,severelyreducestheperformanceofthemachine,soweshouldnotbeusethisprotocoltotransmitdatatoomuch.Sincethedatawhichneedtoencryptissmall,onlyauserIDvalue(note),sotheperformanceofusingMD5toencryptisquitesatisfactory.Second,whenuseraccessesanyapplicationsystemofeachdomain,theywillberedirectedtoUnifiedPortalsystemforidentityauthentication,ordirectedtoWebServiceserverfornotevalidation.Userneedtosignonthesystemonlywhenheiscertificationfirsttime.Whenthevisitorvolumeislarger,theuserswitchtothenewapplicationsystemwilleasilyhandleaninterruption,whichissinglesign-failurephenomenon.Thisphenomenonhastworeasons,oneistheserverloadistoolarge,theotheroneisnetworkbandwidthisnotenough.Amongthem,themethodwhichisresolvedtheserverloadistoolargeistouseservercluster.Clusterismadeupofmultipleservers.Asaunifiedresource,itprovidesasinglesystemservicetoexternal.Inthissystem,exceptforusingreverseproxytechnologytoimprovethesecurityofaccessingtheapplications,themoreimportantiscapabilitywhichcanhelptoimplementclustertechnologyofloadbalancing.ThewholestructureofreverseproxyisshowninFig7:Fig7,reverseproxyserverRprovidesthecorrespondinginterfacetoimplementthealgorithmofloadbalancingexceptforprovidingcacheforthebehindA1,A2andA3application.Thatis,itcanconsiderthearrivalrequesttodistributetotheserverwhichhasthebestperformancethroughbyscanningtheconditionsofCPU,memoryandI/OofA1,A2,A3server.ByLoadRunner8.1,theuseofreverseproxysystembeforeandafterwasrelatedtostresstesting.ThetestresultsareshowninFig8:ItcanbeseenfromFigure8,atthebeginning,whenthenumberofconcurrentusersisnotlarge,usethereverseproxyandoutofuseproxyissimilar.Butwiththegradualincreaseofconcurrentusers,theperformancedifferencebetwee