Supporting XML Security Models Using Relational Databases: A Vision

  • Dongwon Lee
  • Wang-Chien Lee
  • Peng Liu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2824)


As the secure distribution and sharing of information over the World Wide Web becomes increasingly important, the needs for flexible and efficient support of access control systems naturally arise. Since the eXtensible Markup Language (XML) is emerging as the format of the Internet era for storing and exchanging information, there have been, recently, many proposals to extend the XML model to incorporate security aspects. To the lesser or greater extent, however, such proposals neglect the fact that the data for XML documents will most likely reside in relational databases, and consequently do not utilize various security models proposed for and implemented in relational databases.

In this paper, we take a rather different approach. We explore how to support security models for XML documents by leveraging on techniques developed for relational databases. More specifically, in our approach, (1) Users make XML queries against the given XML view/schema, (2) Access controls for XML data are also specified in the XML model, but (3) Data are stored in relational databases, and (4) Security check and query evaluation are also done in relational databases. Instead of re-inventing wheels, we take two representative methods in both XML security model and XML to relational conversion problems, and show how to glue them together in a seamless manner to efficiently support access controls for the XML model using relational databases.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Banerjee, S., Krishnamurthy, V., Krishnaprasad, M., Murthy, R.: Oracle8i – The XML Enabled Data Management System. In: IEEE ICDE, San Diego, CA (February 2000)Google Scholar
  2. 2.
    Bertino, E., Ferrari, E.: Secure and Selective Dissemination of XML Documents. IEEE Trans. on Information and System Security (TISSEC) 5(3), 290–331 (2002)CrossRefGoogle Scholar
  3. 3.
    Bourret, R.: XML and Databases. Web page (September 1999),
  4. 4.
    Bray, T., Paoli, J., Sperberg-McQueen, C.M. (eds.): Extensible Markup Language (XML) 1.0 (2nd Edition). W3C Recommendation (October 2000),
  5. 5.
    Cheng, J.M., Xu, J.: XML and DB2. In: IEEE ICDE, San Diego, CA (February 2000)Google Scholar
  6. 6.
    Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A Fine-Grained Access Control System for XML Documents. IEEE Trans. on Information and System Security (TISSEC) 5(2), 169–202 (2002)CrossRefGoogle Scholar
  7. 7.
    Damiani, E., De Capitani Di Vimercati, S., Paraboschi, S., Samarati, P.: Design and Implementation of an Access Control Processor for XML Documents. Computer Networks 33(6), 59–75 (2000)CrossRefGoogle Scholar
  8. 8.
    Deutsch, A., Fernandez, M.F., Suciu, D.: Storing Semistructured Data with STORED. In: ACM SIGMOD, Philadephia, PA (June 1998)Google Scholar
  9. 9.
    Fernandez, E., Gudes, E., Song, H.: A Model of Evaluation and Administration of Security in Object-Oriented Databases. IEEE Trans. on Knowledge and Data Engineering (TKDE) 6(2), 275–292 (1994)CrossRefGoogle Scholar
  10. 10.
    Florescu, D., Kossmann, D.: Storing and Querying XML Data Using an RDBMS. IEEE Data Eng. Bulletin 22(3), 27–34 (1999)Google Scholar
  11. 11.
    Godik, S., Moses, T. (eds.): eXtensible Access Control Markup Language (XACML) Version 1.0. OASIS Specification Set (February 2003),
  12. 12.
    Griffiths, P.P., Wade, B.W.: An Authorization Mechanism for a Relational Database System. ACM Trans. on Database Systems (TODS) 1(3), 242–255 (1976)CrossRefGoogle Scholar
  13. 13.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible Support for Multiple Access Control Policies. ACM Trans. on Database Systems (TODS) 26(2), 214–260 (2001)MATHCrossRefGoogle Scholar
  14. 14.
    Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A Unified Framework for Enforcing Multiple Access Control Policies. In: ACM SIGMOD, pp. 474–485 (May 1997)Google Scholar
  15. 15.
    Jajodia, S., Sandhu, R.: Toward a Multilevel Secure Relational Data Model. In: ACM SIGMOD (May 1990)Google Scholar
  16. 16.
    Lee, D., Chu, W.W.: Constraints-preserving Transformation from XML Document Type Definition to Relational Schema. In: Laender, A.H.F., Liddle, S.W., Storey, V.C. (eds.) ER 2000. LNCS, vol. 1920, pp. 323–338. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Lee, W.-C., Mitchell, G., Zhang, X.: Integrating XML Data with Relational Databases. In: IEEE Int’l Workshop on Knowledge Discovery and Data Mining in World Wide Web, Taipei, Taiwan (April 2000)Google Scholar
  18. 18.
    Rabitti, F., Bertino, E., Ahn, G.: A Model of Authorization for Next-Generation Database Systems. ACM Trans. on Database Systems (TODS) 16(1), 89–131 (1991)Google Scholar
  19. 19.
    Samarati, P., Bertino, E., Jajodia, S.: An Authorization Model for a Distributed Hypertext System. IEEE Trans. on Knowledge and Data Engineering (TKDE) 8(4), 555–562 (1996)CrossRefGoogle Scholar
  20. 20.
    Sandhu, R., Chen, F.: The Multilevel Relational (MLR) Data Model. IEEE Trans. on Information and System Security (TISSEC) 1(1) (1998)Google Scholar
  21. 21.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2) (1996)Google Scholar
  22. 22.
    Shanmugasundaram, J., Tufte, K., He, G., Zhang, C., DeWitt, D., Naughton, J.: Relational Databases for Querying XML Documents: Limitations and Opportunities. In: VLDB, Edinburgh, Scotland (September 1999)Google Scholar
  23. 23.
    Tan, K.-L., Lee, M.L., Wang, Y.: Access Control of XML Documents in Relational Database Systems. In: Int’l Conf. on Internet Computing (IC), Las Vegas, NV (June 2001)Google Scholar
  24. 24.
    Winslett, M., Smith, K., Qian, X.: Formal Query Languages for Secure Relational Databases. ACM Trans. on Database Systems (TODS) 19(4), 626–662 (1994)CrossRefGoogle Scholar
  25. 25.
    Yoshikawa, M., Amagasa, T., Shimura, T., Uemura, S.: XRel: A Path-Based Approach to Storage and Retrieval of XML Documents using Relational Databases. ACM Trans. on Internet Technology (TOIT) 1(2), 110–141 (2001)CrossRefGoogle Scholar
  26. 26.
    Yu, T., Srivastava, D., Lakshmanan, L.V.S., Jagadish, H.V.: Compressed Accessibility Map: Efficient Access Control for XML. In: VLDB, Hong Kong, China (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Dongwon Lee
    • 1
  • Wang-Chien Lee
    • 1
  • Peng Liu
    • 1
  1. 1.Penn State University 

Personalised recommendations