[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Xslt protect with password
At 2010-08-30 15:04 +0530, Praveen Chauhan wrote:
It should be Protect from viewing the source code, and avoid unauthorized modification. But it should be work(run) Nothing is foolproof. But I've employed three different approaches: (1) - Use an XSLT processor that "compiles" the XSLT into machine code, and then distribute only the machine code. The Gregor XSLT processor is the best example I've seen of this. Reverse engineering the XSLT is very difficult, but some modifications can happen. Using various techniques for self-detection might prevent the modifications. (2) - Obfuscate the XSLT code. I've used this in the distribution of my Open Office XML filter that is obliged to be in clear text. Because XSLT is, itself, XML, I run my XSLT through obfuscation stylesheets that rewrite the entire logic with obscure and confusing variable names. Reverse engineering is somewhat difficult ... certainly it would be painful. I'm not too worried about someone figuring out some of my techniques. Are you worried someone will steal your approaches to solving problems? (3) - Employ digital signatures in the actual transformation scenario. This doesn't prevent the XSLT from being used on *other* XSLT processors, but it doesn't prevent the XSLT from being modified and running on the processor checking the digital signature. In my case I worked with the Ibex XSL-FO processor from Visual Programming Ltd. to digitally sign my UBL stylesheets for the United Nations Layout Key: http://www.CraneSoftwrights.com/resources/ublss#ubl2-ss The stylesheets are shipped with a digital signature manifest. The commercial-grade XSL-FO engine's "signature edition" can be downloaded at no charge because it will *only* execute digitally signed stylesheets. I can make any of my stylesheets publicly downloadable and useable with a commercial-grade XSL-FO engine without users having to buy a copy of the engine. Yes, they can use the stylesheets with other engines, but they may not be able to afford to buy a commercial- grade quality one. Free engines may not work as well. If they change even a single byte of the stylesheets the commercial engine will not work. Thus, the vendor is protected from someone taking the freely- downloadable "signature edition" and using it for their own purposes. I've also digitally signed the OASIS technical specification stylesheets I wrote for OASIS committees to use with DocBook, so that project editors can freely use the commercial-grade engine with them: http://docs.oasis-open.org/templates/DocBook/spec-0.5/oasis-specification-0.5-wd03.html#d0e1049 I haven't yet combined (2) and (3) because the stylesheets I've wanted to sign are for the protection of the XSL-FO vendor not for the protection of my algorithms, but if I wanted to do both, then I simply run my obfuscation stylesheet on my original code and digitally sign and distribute the obfuscated version. Nothing is perfect. All you can hope for is to make it difficult to break ... you can't make it impossible. I hope this helps. . . . . . . . . . . . . Ken
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|