![[XML Security Suite]](xmlsec.gif)
These days, business transactions that require digital signatures are increasing. This example deals with a digitally signed XML document as a target document. An original XML document is <bookOrder>, that is shown in bold face below. Since this is an enveloping signature, the signature is over content found within an Object element of the signature itself. Note that the target XML document is defined by XML Schema.
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/CR-xml-c14n-20001026"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Res0">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>+DS8235nx6t9WLwqUWZSBGGMhxI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
M/VgGBeFkCYBNvfr1s8/Jjoyu0wbtUBuDyb0M7h9BMS9DTvNNNoujJibE4sRphbQV9LvqXW1
5xGX7Q9MsGvurglJfmtkV6B5Pcp3R+E69kLnnssOUFlDyXo9MjWxtGJUcZg6NDVEB3VakNtr
RPUdvCq5/TSKATIERqaGSb2qdgw=
</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
thftcO8Eu1BOf0/TdYIEM2JefGguC1sARXiFx6hPjKH2RYTGrkSQfaMovN00z02aPo
FYC+z9Y1QIpusJjRN0rIcBuQ0DM896tbwfzenj9Lrw/sgM2MNAIUNnTL9Qv8Qa8IOK
7W6FRhPXpAl9dQ1qO8fzqZN23PsPNsE0KgW5iEM=
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509SubjectName>CN=TAMURA Kent, OU=TRL, O=IBM, C=JP</X509SubjectName>
<X509Certificate>
MIIB8DCCAVkCBDnQPmQwDQYJKoZIhvcNAQEEBQAwPzELMAkGA1UEBhMCSlAxDDAKBgNVBAoTA0lC
TTEMMAoGA1UECxMDVFJMMRQwEgYDVQQDEwtUQU1VUkEgS2VudDAeFw0wMDA5MjYwNjEyNTJaFw0w
MDEyMjUwNjEyNTJaMD8xCzAJBgNVBAYTAkpQMQwwCgYDVQQKEwNJQk0xDDAKBgNVBAsTA1RSTDEU
MBIGA1UEAxMLVEFNVVJBIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYX7XDvBLtQ
Tn9P03WCBDNiXnxoLgtbAEV4hceoT4yh9kWExq5EkH2jKLzdNM9Nmj6BWAvs/WNUCKbrCY0TdKyH
AbkNAzPPerW8H83p4/S68P7IDNjDQCFDZ0y/UL/EGvCDiu1uhUYT16QJfXUNajvH86mTdtz7DzbB
NCoFuYhDAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAgQbFUq7NhWtoZ0Q8VpURvM7RZohnmsBlDFfO
1oJEcvYCm5xBm1EczHynW9XHvw/8MjNyoKeGzm2CIs2E1y6tWS3qd/VBKDCEB4OD2Vw4IHEJFLQQ
sCfezi1jalQLyn7lGO4Pjtd81i6uj2PQFdpXY/RpVe7J2JRpZo4F7Reff3U=
</X509Certificate>
</X509Data>
</KeyInfo>
<dsig:Object Id="Res0" xmlns="" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<bookOrder>
<item>
<title>XML and Java: Developing Web Applications</title>
<isbn>0-201-48543-5</isbn>
<quantity>1</quantity>
<price unit="USD">39.95</price>
</item>
<payment>
<billedTo>John Smith</billedTo>
<amount unit="USD">39.95</amount>
<dueDate>3 June 2000</dueDate>
<cardInfo>
<cardNumber>XXXX XXXX XXXX XXXX</cardNumber>
<cardExpiration>08/2000</cardExpiration>
</cardInfo>
</payment>
</bookOrder>
</dsig:Object>
</Signature>
|
A set of access control policies is described as follows:
The above policies can be described in XACL language as follows:
<?xml version="1.0"?>
<policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.trl.ibm.com/projects/xml/xacl xacl.xsd"
xmlns="http://www.trl.ibm.com/projects/xml/xacl">
<!-- ===================================================
1. The "admin" group can read every element.
=================================================== -->
<xacl>
<object href="/*"/>
<rule>
<acl>
<subject>
<group>admin</group>
</subject>
<action name="read" permission="grant"/>
</acl>
</rule>
</xacl>
<!-- ===================================================
2. The "committee" group can read only X509Data
=================================================== -->
<xacl>
<object href='
/*[local-name()="Signature"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/*[local-name()="KeyInfo"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/*[local-name()="X509Data"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]'/>
<rule>
<acl>
<subject>
<group>committee</group>
</subject>
<action name="read" permission="grant"/>
</acl>
</rule>
</xacl>
<!-- ===================================================
3. The "reviewer" group can read bookorder element
except for the cardnumber element
=================================================== -->
<xacl>
<object href='
/*[local-name()="Signature"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/*[local-name()="Object"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/bookOrder'/>
<rule>
<acl>
<subject>
<group>reviewer</group>
</subject>
<action name="read" permission="grant"/>
</acl>
</rule>
</xacl>
<xacl>
<object href='
/*[local-name()="Signature"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/*[local-name()="Object"][namespace-uri()="http://www.w3.org/2000/09/xmldsig#"]
/bookOrder/payment/cardInfo'/>
<rule>
<acl>
<subject>
<group>reviewer</group>
</subject>
<action name="read" permission="deny"/>
</acl>
</rule>
</xacl>
</policy>
|
Try the following access requests. The resulting access decisions in the XACL Visual Tool are described in the right-most column of the following table.
| Access request file | Object | Subject (group) | Action | Access decisions |
| dsig_request1.xml | /* | Andrew (admin) |
read | Andrew, member of admin group, is allowed to read the whole digital signature document. |
| dsig_request2.xml | /* | Carol (committee) |
read | Carol, a member of committee group, is allowed to read X509Data element. |
| dsig_request3.xml | /* | Robert (reviewer) |
read | Robert, a member of reviewer group, is allowed to read bookOrder element except for cardnumber element. |
Group membership is defined in group.xml as follows.
| Group | Member |
| admin | Andrew |
| committee | Carol |
| reviewer | Robert |
The binding table is defined as follows:
<bind_table>
<bind>
<target href="dsig_target.xml"/>
<policy href="dsig_policy.xml"/>
<status href="dsig_status.xml"/>
</bind>
</bind_table>
|