[XML Security Suite]

Sample Application - Online Catalog

Please try out simple examples (e.g. simple example 1) before checking this.

Application Description

This is a typical online shopping application for cyber marketplaces. XML is used to store online catalog data that contains items for sell. There are two classes for buyers: normal members and premium members. The catalog includes all available items, including some that are available only to premium members. Selling information is labeled as "normal", "premium", or "all". The access control policy says that the normal members cannot read any information for premium members, and the premium members cannot read any information for normal members. You will see how the XML access control can be applied to the practical applications through this example.

The catalog XML document in this example contains two available items: "Digital Video Camera" and "Luxury Sofa". The "Digital Video Camera" is sold for both normal and premium members. The selling period is from 1st Oct. 2000 to 31st Dec. 2005 and the price is US$489.99. The normal members have to pay US$39.99 as a shipping fee. The normal members get 1,000 bonus points but the premium members get 3,000 points. The "Luxury Sofa" is sold only for premium members. This is sold through the years 2000 and 2005 at the price of US$3,499.99.

Target XML Document (catalog_target.xml) 
<catalog>
  <item member="all">
    <name>Digital Video Camera</name>
    <period>
      <start_time>10/1/00 0:0 AM</start_time>
      <end_time>12/31/05 11:59 PM</end_time>
    </period>
    <price currency="USD">489.99</price>
    <ship_fee currency="USD" member="normal">39.99</ship_fee>
    <advantage>
      <point member="normal">1000</point>
      <point member="premium">3000</point>
    </advantage>
  </item>
  <item member="premium">
    <name>Luxury Sofa</name>
    <period>
      <start_time>1/1/00 0:0 AM</start_time>
      <end_time>12/31/05 11:59 PM</end_time>
    </period>
    <price currency="USD">3499.99</price>
  </item>
</catalog>

Policy Description

A set of access control policies is described as follows:

  1. Normal members and premium members can read each item in the online catalog if the selling period condition is satisfied.
  2. Normal member cannot read any information for premium members.
  3. Premium member cannot read any information for normal members.

The above policies can be described in XACL language as follows:

Access Control Rules (catalog_policy.xml) 
<policy xmlns="http://www.trl.ibm.com/projects/xml/xacl">
<!-- ==================================================
  1. Normal members and premium members can read any
     items in the online catalog, if the selling period 
     condition is satisfied.
 =================================================== -->
  <xacl>
    <object href="/catalog/item"/>
    <rule>
      <acl>
        <subject>
          <group>normal_member</group>
        </subject>
        <subject>
          <group>premium_member</group>
        </subject>
        <action name="read" permission="grant"/>
        <condition operation="and">
          <predicate name="compareDate">
            <parameter value="after"/>
            <parameter><function name="getDate"/></parameter>
            <parameter><function name="getValue">
              <parameter value="./period/start_time"/></function></parameter>
          </predicate>
          <predicate name="compareDate">
            <parameter value="before"/>
            <parameter><function name="getDate"/></parameter>
            <parameter><function name="getValue">
              <parameter value="./period/end_time"/></function></parameter>
          </predicate>
        </condition>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  2. Normal member cannot read any information for 
     premium members.
 =================================================== -->
  <xacl>
    <object href="//*[@member='premium']"/>
    <rule>
      <acl>
        <subject>
          <group>normal_member</group>
        </subject>
        <action name="read" permission="deny"/>
      </acl>
    </rule>
  </xacl>
<!-- ==================================================
  3. Premium member cannot read any information for 
     normal members.
 =================================================== -->
  <xacl>
    <object href="//*[@member='normal']"/>
    <rule>
      <acl>
        <subject>
          <group>premium_member</group>
        </subject>
        <action name="read" permission="deny"/>
      </acl>
    </rule>
  </xacl>
</policy>

Access Requests

Try the following access requests. The resulting access decisions in the XACL Visual Tool are described in the right-most column of the following table.

Access request file Object Subject (group) Action Brief description of access decisions
catalog_request1.xml /catalog Peter
(premium_member)		 read The premium member Peter is allowed to read the sales information for the "Digital Video Camera" and the "Luxury Sofa" except for the information for the normal members.
catalog_request2.xml /catalog Nora
(normal_member)		 read The normal member Nora is allowed to read the information for the "Digital Video Camera" but not the information for the "Luxury Sofa". She is not allowed to read the point information for premium members.

Other Information

Group Membership

Group membership is defined in group.xml as follows.

Group Member
premium_member Peter
normal_member Nora

Binding Target XML and Policy

The binding table is defined as follows:

Binding Definition 
<bind_table>
  <bind>
    <target href="catalog_target.dtd"/>
    <policy href="catalog_policy.xml"/>
    <status href="catalog_status.xml"/>
  </bind>
</bind_table>
Next Example
[ IBM | alphaWorks | XML Security Suite | Discussion about XML Security Suite ]
Last modified: April 18, 2002