Securing XML Documents
Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing by the Web of information that must be accessed in a selective way requires the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Approaches proposed to this end level, independently from the semantics of the data to be protected and for this reason result limited. The eXtensible Markup Language (XML), a markup language promoted by the World Wide Web Consortium (W3C), represents an important opportunity to solve this problem. We present an access control model to protect information distributed on the Web that, by exploiting XML’s own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of XML documents. We also present a language for the specification of access restrictions that uses standard notations and concepts and briefly describe a system architecture for access control enforcement based on existing technology.
Unable to display preview. Download preview PDF.
- 1.AlphaWorks. XML Security Suite, April 1999. http://www.alphaWorks.com/-tech/xmlsecuritysuite.
- 2.T. Berners-Lee, R. Fielding, and L. Masinter. Uniform Resource Identifiers (URI): Generic Syntax, 1998. http://www.isi.edu/in-notes/rfc2396.txt.
- 3.T. Bray et.al. (ed.). Extensible Markup Language (XML) 1.0. World Wide Web Consortium (W3C), February 1998. http://www.w3.org/TR/REC-xml.
- 4.S. Ceri, S. Comai, E. Damiani, P. Fraternali, S. Paraboschi, and L. Tanca. XML-GL: A Graphical Language for Querying and Restructuring XML Documents. In Proc. of the Eighth Int. Conference on the World Wide Web, Toronto, May 1999.Google Scholar
- 5.S. Ceri, P. Fraternali, and S. Paraboschi. Data-Driven, One-To-One Web Site Generation for Data-Intensive Applications. In Proc. of the 25th Int. Conference on VLDB, Edinburgh, September 1999.Google Scholar
- 6.CheckFree Corp. Open Financial Exchange Specification 1.0.2, 1998. http://www.ofx.net/.
- 7.S. DeRose, D. Orchard, and B. Trafford. XML Linking Language (XLINK), July 1999. http://www.w3.org/TR/xlink.
- 8.C. Ellerman. Channel Definition Format (CDF), March 1997. http://www.w3.org/TR/NOTE-CDFsubmit.html.
- 9.E.B. Fernandez, E. Gudes, and H. Song. AModel of Evaluation and Administration of Security in Object-Oriented Databases. IEEE TKDE, 6(2):275–292, April 1994.Google Scholar
- 10.S. Jajodia, P. Samarati, and V.S. Subrahmanian. A Logical Language for Expressing Authorizations. In Proc. of the IEEE Symposium on Security and Privacy, pages 31–42, Oakland, CA, May 1997.Google Scholar
- 11.S. Jajodia, P. Samarati, V.S. Subramanian, and E. Bertino. A Unified Framework for Enforcing Multiple Access Control Policies. In Proc. of the 1997 ACM International SIGMOD Conference on Management of Data, Tucson, AZ, May 1997.Google Scholar
- 12.T.F. Lunt. Access Control Policies for Database Systems. In C.E. Landwehr, editor, Database Security, II: Status and Prospects, pages 41–52. North-Holland, Amsterdam, 1989.Google Scholar
- 15.Rutgers Security Team. WWW Security. A Survey, 1999. http://www-ns.rutgers.edu/www-security/.
- 16.P. Samarati, E. Bertino, and S. Jajodia. An Authorization Model for a Distributed Hypertext System. IEEE TKDE, 8(4):555–562, August 1996.Google Scholar
- 17.A. van Hoff, H. Partovi, and T. Thai. The Open Software Description Format (OSD), August 1997. http://www.w3.org/TR/NOTE-OSD.html.
- 18.L. Wood. Document Object Model Level 1 Specification, October 1998. http://www.w3.org/pub/WWW/REC-DOM-Level-1/.
- 19.World Wide Web Consortium (W3C). Extensible Stylesheet Language (XSL) Specification, April 1999. http://www.w3.org/TR/WD-xsl.
- 20.World Wide Web Consortium (W3C). XML Path Language (XPath) Version 1.0, October 1999. http://www.w3.org/TR/PR-xpath19991008.