Securing XML Documents

  • Ernesto Damiani
  • Sabrina De Capitani di Vimercati
  • Stefano Paraboschi
  • Pierangela Samarati
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1777)


Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing by the Web of information that must be accessed in a selective way requires the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Approaches proposed to this end level, independently from the semantics of the data to be protected and for this reason result limited. The eXtensible Markup Language (XML), a markup language promoted by the World Wide Web Consortium (W3C), represents an important opportunity to solve this problem. We present an access control model to protect information distributed on the Web that, by exploiting XML’s own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of XML documents. We also present a language for the specification of access restrictions that uses standard notations and concepts and briefly describe a system architecture for access control enforcement based on existing technology.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AlphaWorks. XML Security Suite, April 1999.
  2. 2.
    T. Berners-Lee, R. Fielding, and L. Masinter. Uniform Resource Identifiers (URI): Generic Syntax, 1998.
  3. 3.
    T. Bray (ed.). Extensible Markup Language (XML) 1.0. World Wide Web Consortium (W3C), February 1998.
  4. 4.
    S. Ceri, S. Comai, E. Damiani, P. Fraternali, S. Paraboschi, and L. Tanca. XML-GL: A Graphical Language for Querying and Restructuring XML Documents. In Proc. of the Eighth Int. Conference on the World Wide Web, Toronto, May 1999.Google Scholar
  5. 5.
    S. Ceri, P. Fraternali, and S. Paraboschi. Data-Driven, One-To-One Web Site Generation for Data-Intensive Applications. In Proc. of the 25th Int. Conference on VLDB, Edinburgh, September 1999.Google Scholar
  6. 6.
    CheckFree Corp. Open Financial Exchange Specification 1.0.2, 1998.
  7. 7.
    S. DeRose, D. Orchard, and B. Trafford. XML Linking Language (XLINK), July 1999.
  8. 8.
    C. Ellerman. Channel Definition Format (CDF), March 1997.
  9. 9.
    E.B. Fernandez, E. Gudes, and H. Song. AModel of Evaluation and Administration of Security in Object-Oriented Databases. IEEE TKDE, 6(2):275–292, April 1994.Google Scholar
  10. 10.
    S. Jajodia, P. Samarati, and V.S. Subrahmanian. A Logical Language for Expressing Authorizations. In Proc. of the IEEE Symposium on Security and Privacy, pages 31–42, Oakland, CA, May 1997.Google Scholar
  11. 11.
    S. Jajodia, P. Samarati, V.S. Subramanian, and E. Bertino. A Unified Framework for Enforcing Multiple Access Control Policies. In Proc. of the 1997 ACM International SIGMOD Conference on Management of Data, Tucson, AZ, May 1997.Google Scholar
  12. 12.
    T.F. Lunt. Access Control Policies for Database Systems. In C.E. Landwehr, editor, Database Security, II: Status and Prospects, pages 41–52. North-Holland, Amsterdam, 1989.Google Scholar
  13. 13.
    F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A Model of Authorization for Next-Generation Database Systems. ACM TODS, 16(1):89–131, March 1991.CrossRefGoogle Scholar
  14. 14.
    J. Reagle and L.F. Cranor. The Platform for Privacy Preferences. Communications of the ACM, 42(2):48–55, February 1999.CrossRefGoogle Scholar
  15. 15.
    Rutgers Security Team. WWW Security. A Survey, 1999.
  16. 16.
    P. Samarati, E. Bertino, and S. Jajodia. An Authorization Model for a Distributed Hypertext System. IEEE TKDE, 8(4):555–562, August 1996.Google Scholar
  17. 17.
    A. van Hoff, H. Partovi, and T. Thai. The Open Software Description Format (OSD), August 1997.
  18. 18.
    L. Wood. Document Object Model Level 1 Specification, October 1998.
  19. 19.
    World Wide Web Consortium (W3C). Extensible Stylesheet Language (XSL) Specification, April 1999.
  20. 20.
    World Wide Web Consortium (W3C). XML Path Language (XPath) Version 1.0, October 1999.

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Ernesto Damiani
    • 1
  • Sabrina De Capitani di Vimercati
    • 1
  • Stefano Paraboschi
    • 2
  • Pierangela Samarati
    • 1
  1. 1.Dip. Scienze InformazioneUniversità di MilanoMilanoItaly
  2. 2.Dip. Elettronica e InformazionePolitecnico di MilanoMilanoItaly

Personalised recommendations