Abstract
XML access control models proposed in the literature enforce access restrictions directly on the structure and content of an XML document. Therefore access authorization rules (authorizations, for short), which specify access rights of users on information within an XML document, must be revised if they do not match with changed structure of the XML document. In this paper, we present two authorization translation problems. The first is a problem of translating instance-level authorizations for an XML document. The second is a problem of translating schema-level authorizations for a collection of XML documents conforming to a DTD. For the first problem, we propose an algorithm that translates instance-level authorizations of a source XML document into those for a transformed XML document by using instance-tree mapping from the transformed document instance to the source document instance. For the second problem, we propose an algorithm that translates value-independent schema-level authorizations of non-recursive source DTD into those for a non-recursive target DTD by using schema-tree mapping from the target DTD to the source DTD. The goal of authorization translation is to preserve authorization equivalence at instance node level of the source document. The XML access control models use path expressions of XPath to locate data in XML documents. We define property of the path expressions (called node-reducible path expressions) that we can transform schema-level authorizations of value-independent type by schema-tree mapping. To compute authorizations on instances of schema elements of the target DTD, we need to identify the schema elements whose instances are located by a node-reducible path expression of a value-independent schema-level authorization. We give an algorithm that carries out path fragment containment test to identify the schema elements whose instances are located by a node-reducible path expression.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
E. Bertino, S. Castano, S. Ferrari, and M. Mesiti, “Specifying and enforcing access control policies for XML document sources,” World Wide Web 3(3), 2000.
S. Chatvichienchai, M. Iwaihara, and Y. Kambayashi, “Translating access authorizations for transformed XML documents,” in Proc. of the 13th Int. Conf. on Database and Expert Systems Applications—DEXA 2002, Aix en Provence, France, September 2002, pp. 290–299.
E. Damiani, S. Vimercati, S. Paraboschi, and P. Samarati, “Securing XML documents,” in Proc. of the 2000 Int. Conf. on Extending Database Technology (EDBT'2000), Konstanz, Germany, March 2000, pp. 121–135.
A. Gabillon and E. Bruno, “Regulating access to XML documents,” in Proc. of 15th Annual IFIP WG11.3 Conference on Database and Applications Security, July 2001, pp. 299–314.
M. Greunz, B. Schopp, and J. Haes, “Integrating e-government infrastructures through secure XML document containers,” in Proc. of the 34th Hawaii Int. Conf. on System Sciences (HICSS-34), Vol. 5, Maui, Hawaii, 3–6 January 2001, p. 5004.
S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino, “A unified framework for enforcing multiple acces control policies,” in Proc. of the 1997 ACM SIGMOD Int. Conf. on Management of Data, Arizona, 1997, pp. 474–485.
M. Kudo and S. Hada, “XML document security based on provisional authorization,” in Proc. of the 7th ACM Conf. on Computer and Communications Security, Athens Greece, November 2000, pp. 87–96.
J. Madhavan, P. A. Bernstein, and E. Rahm, “Generic schema matching with cupid,” in Proc. of the 27th VLDB Conference, Roma, Italy, 2001, pp. 49–58.
G. Miklau and D. Suciu, “Containment and equivalence for an XPath fragment,” in Proc. of the ACM SIGMOD-SIGACT-SIGART Symp. on Principles of Database Systems, 2002, pp. 65–76.
T. Milo and S. Zohar, “Using schema matching to simplify heterogeneous data translation,” in Proc. of VLDB, 1998, pp. 122–133.
OASIS eXtensible Access Control Markup Language Technical Committee, XACML 1.0 Committee Specification Set, http://www.oasis-open.org/committees/xacml/,November 2002.
H. Su, H. Kuno, and E. A. Rundensteiner, “Automating the transformation of XML documents,” in Advances in Web-Age Information Management, Second Int. Conf. WIDM 2001, July 2001, pp. 68–75.
J. D. Ullman, Principles of Database and Knowledge-Base Systems, Vol. I, Computer Science Press, 1989.
W3C, “Extensible Markup Language (XML),” http://www.w3c.org/XML, 1998.
W3C, “Document Object Method (DOM) level 1 specification 1.0,” http://www.w3.org/TR/RECDOM-Level-1, 1998.
W3C XSL Working Group, “XSL transformations (XSLT) version 1.0,”http://www.w3c.org/TR/xslt, 1999.
W3C, “XML path language (XPath) version 2.0,” http://www.w3.org/TR/xpath20, 2001.
W3C, “XML schema,” http://www.w3c.org/XML/Schema, 2001.
W3C, “XML signature syntax and processing,” http://www.w3.org/TR/2002/REC-xmldsigcore-20020212/, 2002.
W3C, “XML encryption syntax and processing,” http://www.w3.org/TR/2002/REC-xmlenccore-20021210/, 2002.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Chatvichienchai, S., Iwaihara, M. & Kambayashi, Y. Authorization Translation for XML Document Transformation. World Wide Web 7, 111–138 (2004). https://doi.org/10.1023/B:WWWJ.0000015867.80713.fc
Issue Date:
DOI: https://doi.org/10.1023/B:WWWJ.0000015867.80713.fc