|
Subject: Re: [xsl] Xslt protect with password From: David <dlee@xxxxxxxxxxx> Date: Mon, 27 Sep 2010 11:08:10 -0400 |
David A. Lee dlee@xxxxxxxxxxx http://www.xmlsh.org
At 2010-08-30 15:04 +0530, Praveen Chauhan wrote:It should be Protect from viewing the source code, and avoid unauthorized
modification.
But it should be work(run)
Nothing is foolproof.
But I've employed three different approaches:
(1) - Use an XSLT processor that "compiles" the XSLT into machine code, and then distribute only the machine code. The Gregor XSLT processor is the best example I've seen of this. Reverse engineering the XSLT is very difficult, but some modifications can happen. Using various techniques for self-detection might prevent the modifications.
(2) - Obfuscate the XSLT code. I've used this in the distribution of my
Open Office XML filter that is obliged to be in clear text. Because
XSLT is, itself, XML, I run my XSLT through obfuscation stylesheets
that rewrite the entire logic with obscure and confusing variable
names. Reverse engineering is somewhat difficult ... certainly it
would be painful. I'm not too worried about someone figuring out
some of my techniques. Are you worried someone will steal your
approaches to solving problems?
(3) - Employ digital signatures in the actual transformation scenario.
This doesn't prevent the XSLT from being used on *other* XSLT
processors, but it doesn't prevent the XSLT from being modified
and running on the processor checking the digital signature. In my
case I worked with the Ibex XSL-FO processor from Visual Programming
Ltd. to digitally sign my UBL stylesheets for the United Nations
Layout Key:
http://www.CraneSoftwrights.com/resources/ublss#ubl2-ss
The stylesheets are shipped with a digital signature manifest. The
commercial-grade XSL-FO engine's "signature edition" can be downloaded
at no charge because it will *only* execute digitally signed
stylesheets. I can make any of my stylesheets publicly downloadable
and useable with a commercial-grade XSL-FO engine without users having
to buy a copy of the engine. Yes, they can use the stylesheets with
other engines, but they may not be able to afford to buy a commercial-
grade quality one. Free engines may not work as well. If they change
even a single byte of the stylesheets the commercial engine will not
work. Thus, the vendor is protected from someone taking the freely-
downloadable "signature edition" and using it for their own purposes.
I've also digitally signed the OASIS technical specification stylesheets
I wrote for OASIS committees to use with DocBook, so that project
editors can freely use the commercial-grade engine with them:
http://docs.oasis-open.org/templates/DocBook/spec-0.5/oasis-specification-0.5-wd03.html#d0e1049
I haven't yet combined (2) and (3) because the stylesheets I've wanted to sign are for the protection of the XSL-FO vendor not for the protection of my algorithms, but if I wanted to do both, then I simply run my obfuscation stylesheet on my original code and digitally sign and distribute the obfuscated version.
Nothing is perfect. All you can hope for is to make it difficult to break ... you can't make it impossible.
I hope this helps.
. . . . . . . . . . . . Ken
-- XSLT/XQuery training: after http://XMLPrague.cz 2011-03-28/04-01 Vote for your XML training: http://www.CraneSoftwrights.com/s/i/ Crane Softwrights Ltd. http://www.CraneSoftwrights.com/s/ G. Ken Holman mailto:gkholman@xxxxxxxxxxxxxxxxxxxx Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/s/bc Legal business disclaimers: http://www.CraneSoftwrights.com/legal
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| Re: [xsl] Xslt Doubt, Martin Honnen | Thread | [xsl] default template ?, Fabien Tillier |
| Re: [xsl] Xslt Doubt, Martin Honnen | Date | [xsl] default template ?, Fabien Tillier |
| Month |