[XML Security Suite]

Tips

This page describes some tips for better using our XACL implementation.

DocumentType

When your target XML document has a DocumentType node which specifies a default attribute value. This may cause the following problem. Consider the following target document with the DTD specified. 

<!DOCTYPE doc SYSTEM "doc.dtd">
<doc>
  <entry name1="aaa" name2="bbb"/>
  <entry name1="aaa" name2="bbb"/>
  <entry name1="aaa" name2="bbb"/>
</doc>

Assume that the DTD specifies the default value of "name1" attribute (e.g. "ccc"). Also, assume that a policy says that you cannot read the "name1" attributes. What happens when this policy is enforced? Of course, the XACL processor tries to remove all the "name1" attributes, where the DOM API is used (e.g. the removeAttributeNode method). Unfortunately, even though it tries to remove them, they will not be removed. This is because the DOM API replaces them by attributes with the default values (e.g. "ccc"). Eventually, the created view will still contain the "name1" attributes against the policy.

Since the XACL processor does not refer to the DocumentType node at all, the simplest way for avoiding this problem is to remove the DocumentType node from the target document before enforcing the policy. For example, you can write a code like this:

//Prepare a target document.
Document target=....;
//Remove the dtd if any.
DocumentType dtd=target.getDocumentType();
if(dtd!=null)
  target.removeChild(dtd);
//Enforce a policy
Processor xp=new Processor();
......
//After the enforcement, you may append the DocumentType node again.
if(dtd!=null)
  target.appendChild(dtd);

The current version of XACL processor will remove the DocumentType node before enforcing policy and append it again after the enforcement as described above. This is the default logic. If you don't like it then you can turn it off by setting property com.ibm.xml.policy.removeDocType. The default value of this property is "true". For example, you can set it as follows: 

java -Dcom.ibm.xml.policy.removeDocType=false com.ibm.xml.policy.xacl.Processor  ex2_request1.xml ex2_target.xml ex2_policy.xml ex2_status.xml

[ IBM | alphaWorks | XML Security Suite | Discussion about XML Security Suite ]
If you have any comment and suggestion, please send us by email.
Michiharu Kudo and Satoshi Hada
Last modified: October 15, 2001