RE: [xsl] Xslt protect with password

Subject: RE: [xsl] Xslt protect with password
From: "G. Ken Holman" <gkholman@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Aug 2010 08:51:50 -0400
At 2010-08-30 15:04 +0530, Praveen Chauhan wrote:
It should be Protect from viewing the source code, and avoid unauthorized
But it should be work(run)

Nothing is foolproof.

But I've employed three different approaches:

(1) - Use an XSLT processor that "compiles" the XSLT into machine code,
      and then distribute only the machine code.  The Gregor XSLT
      processor is the best example I've seen of this.  Reverse
      engineering the XSLT is very difficult, but some modifications
      can happen.  Using various techniques for self-detection might
      prevent the modifications.

(2) - Obfuscate the XSLT code.  I've used this in the distribution of my
      Open Office XML filter that is obliged to be in clear text.  Because
      XSLT is, itself, XML, I run my XSLT through obfuscation stylesheets
      that rewrite the entire logic with obscure and confusing variable
      names.  Reverse engineering is somewhat difficult ... certainly it
      would be painful.  I'm not too worried about someone figuring out
      some of my techniques.  Are you worried someone will steal your
      approaches to solving problems?

(3) - Employ digital signatures in the actual transformation scenario.
      This doesn't prevent the XSLT from being used on *other* XSLT
      processors, but it doesn't prevent the XSLT from being modified
      and running on the processor checking the digital signature.  In my
      case I worked with the Ibex XSL-FO processor from Visual Programming
      Ltd. to digitally sign my UBL stylesheets for the United Nations
      Layout Key:

      The stylesheets are shipped with a digital signature manifest.  The
      commercial-grade XSL-FO engine's "signature edition" can be downloaded
      at no charge because it will *only* execute digitally signed
      stylesheets.  I can make any of my stylesheets publicly downloadable
      and useable with a commercial-grade XSL-FO engine without users having
      to buy a copy of the engine.  Yes, they can use the stylesheets with
      other engines, but they may not be able to afford to buy a commercial-
      grade quality one.  Free engines may not work as well.  If they change
      even a single byte of the stylesheets the commercial engine will not
      work.  Thus, the vendor is protected from someone taking the freely-
      downloadable "signature edition" and using it for their own purposes.

      I've also digitally signed the OASIS technical specification stylesheets
      I wrote for OASIS committees to use with DocBook, so that project
      editors can freely use the commercial-grade engine with them:

I haven't yet combined (2) and (3) because the stylesheets I've wanted to sign are for the protection of the XSL-FO vendor not for the protection of my algorithms, but if I wanted to do both, then I simply run my obfuscation stylesheet on my original code and digitally sign and distribute the obfuscated version.

Nothing is perfect. All you can hope for is to make it difficult to break ... you can't make it impossible.

I hope this helps.

. . . . . . . . . . . . Ken

-- XSLT/XQuery training: after 2011-03-28/04-01 Vote for your XML training: Crane Softwrights Ltd. G. Ken Holman mailto:gkholman@xxxxxxxxxxxxxxxxxxxx Male Cancer Awareness Nov'07 Legal business disclaimers:

Current Thread