Valid RDF and security
Robb Shecter
shecter at darmstadt.gmd.de
Mon Feb 15 18:13:56 GMT 1999
Hi,
A week or so ago, someone asked how a piece of RDF can be validated,
analogous to the way that a piece of XML can be validated with a DTD. I
don't think anybody answered this, or I missed the answer. (?) I'm new
to RDF, and don't know the answer, because as I understand it,
validating RDF would mean making sure that the document properly follows
(say) Dublin Core, and DC is defined as a schema, not as a DTD. (?)
I have concrete application, and so this isn't just an esoteric question
to me:
I'm working on an OO framework for gathering metadata from various
websites, and presenting it in a nice way for browsing. Most sites have
their own home-made metadata format (see
http://slashdot.org/ultramode.txt ). OO design makes my task easy: I
use the Adapter pattern. I write an adapter for each site that converts
its file format into an object model that then gets digested by the rest
of my framework.
Now, what if I want to make this scalable by shifting the burden of
writing these adapters to the site administrators themselves?
Idea 1: Have webadmins write Java adapter classes that my framework
would dynamically load via http. This sounds cool, is possible
(servlets do this), but has a security risk: These webadmins at
external sites are untrusted. If I load and link their code on the fly,
it could be programmed to do any number of destructive things on my
server.
Idea 2: Specify that webadmins must make an XML document available via
http. The format would be simple like:
<NewsItemCollection>
<NewsItem title="Java's not dead" url="http://...." />
</NewsItemCollection>
...I also write a DTD for this, and make it publicly available. Then, I
write one adapter for my framework that parses this XML, and throws an
exception if it doesn't match the DTD. And here, I see an advantage to
the fact that XML is like objects without behavior. Because, that makes
it secure. An XML document can't damage my server, and with a DTD I can
guarantee that the 3rd party has conformed to my interface. The DTD in
fact has taken the place of the Java "interface" that the 3rd party web
admins would have had to implement.
Idea 3: Well, after reading about RDF, it seems like I'm reinventing the
wheel a bit. RDF is designed to do just what I was thinking about in
2. But, how do I validate it? And in my application, I really need the
validation, because the validation enforces program functioning and
security.
Thanks for any comments,
- Robb
xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at ic.ac.uk
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo at ic.ac.uk the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo at ic.ac.uk the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa at ic.ac.uk)
More information about the Xml-dev
mailing list