Subject: RE: [xsl] Xslt protect with password|
From: "G. Ken Holman" <gkholman@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Aug 2010 08:51:50 -0400
It should be Protect from viewing the source code, and avoid unauthorized modification. But it should be work(run)
(1) - Use an XSLT processor that "compiles" the XSLT into machine code, and then distribute only the machine code. The Gregor XSLT processor is the best example I've seen of this. Reverse engineering the XSLT is very difficult, but some modifications can happen. Using various techniques for self-detection might prevent the modifications.
(2) - Obfuscate the XSLT code. I've used this in the distribution of my Open Office XML filter that is obliged to be in clear text. Because XSLT is, itself, XML, I run my XSLT through obfuscation stylesheets that rewrite the entire logic with obscure and confusing variable names. Reverse engineering is somewhat difficult ... certainly it would be painful. I'm not too worried about someone figuring out some of my techniques. Are you worried someone will steal your approaches to solving problems?
(3) - Employ digital signatures in the actual transformation scenario. This doesn't prevent the XSLT from being used on *other* XSLT processors, but it doesn't prevent the XSLT from being modified and running on the processor checking the digital signature. In my case I worked with the Ibex XSL-FO processor from Visual Programming Ltd. to digitally sign my UBL stylesheets for the United Nations Layout Key:
The stylesheets are shipped with a digital signature manifest. The commercial-grade XSL-FO engine's "signature edition" can be downloaded at no charge because it will *only* execute digitally signed stylesheets. I can make any of my stylesheets publicly downloadable and useable with a commercial-grade XSL-FO engine without users having to buy a copy of the engine. Yes, they can use the stylesheets with other engines, but they may not be able to afford to buy a commercial- grade quality one. Free engines may not work as well. If they change even a single byte of the stylesheets the commercial engine will not work. Thus, the vendor is protected from someone taking the freely- downloadable "signature edition" and using it for their own purposes.
I've also digitally signed the OASIS technical specification stylesheets I wrote for OASIS committees to use with DocBook, so that project editors can freely use the commercial-grade engine with them:
-- XSLT/XQuery training: after http://XMLPrague.cz 2011-03-28/04-01 Vote for your XML training: http://www.CraneSoftwrights.com/s/i/ Crane Softwrights Ltd. http://www.CraneSoftwrights.com/s/ G. Ken Holman mailto:gkholman@xxxxxxxxxxxxxxxxxxxx Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/s/bc Legal business disclaimers: http://www.CraneSoftwrights.com/legal