QFilter: Fine-grained Run-time XML Access Control Via NFA-based Query Rewriting
Abstract
At present, most of the state-of-the-art solutions for XML access controls are either (1) document-level access control techniques that are too limited to support fine-grained security enforcement; (2) view-based approaches that are often expensive to create and maintain; or (3) impractical proposals that require substantial security-related support from underlying XML databases. In this paper, we take a different approach that assumes no security support from underlying XML databases and examine three alternative fine-grained XML access control solutions, namely <i>primitive, pre-processing</i> and <i>post-processing</i> approaches. In particular, we advocate a pre-processing method called <i>QFilter</i> that uses Non-deterministic Finite Automata (NFA) to rewrite user's query such that any parts violating access control rules are pruned. We show the construction and execution of a QFilter and demonstrate its superiority to other competing methods.