xalan-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shatha...@apache.org
Subject svn commit: r1350856 [7/11] - in /xalan/site: ./ docs/ docs/xalan/ docs/xalan/resources/ docs/xalan/xalan-c/ docs/xalan/xalan-c/resources/ docs/xalan/xalan-j/ stylebook/ stylebook/Xalan-Logos/ stylebook/css/ stylebook/style/ stylebook/style/dtd/ xdocs/...
Date Sat, 16 Jun 2012 03:57:39 GMT
Added: xalan/site/docs/xalan/xalan-c/samples.html
URL: http://svn.apache.org/viewvc/xalan/site/docs/xalan/xalan-c/samples.html?rev=1350856&view=auto
==============================================================================
--- xalan/site/docs/xalan/xalan-c/samples.html (added)
+++ xalan/site/docs/xalan/xalan-c/samples.html Sat Jun 16 03:57:36 2012
@@ -0,0 +1,885 @@
+<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
+<head>
+<title>ASF: Xalan-C++ Samples</title>
+<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
+<meta http-equiv="Content-Style-Type" content="text/css" />
+<link rel="stylesheet" type="text/css" href="resources/apache-xalan.css" />
+</head>
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the  "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+<body>
+<div id="title">
+<table class="HdrTitle">
+<tbody>
+<tr>
+<th rowspan="2">
+<a href="../index.html">
+<img alt="Trademark Logo" src="resources/XalanC-Logo-tm.png" width="190" height="90" />
+</a>
+</th>
+<th text-align="center" width="75%">
+<a href="index.html">Xalan-C/C++ Version 1.11</a>
+</th>
+</tr>
+<tr>
+<td valign="middle">Xalan-C++ Samples</td>
+</tr>
+</tbody>
+</table>
+<table class="HdrButtons" align="center" border="1">
+<tbody>
+<tr>
+<td>
+<a href="http://www.apache.org">Apache Foundation</a>
+</td>
+<td>
+<a href="http://xalan.apache.org">Xalan Project</a>
+</td>
+<td>
+<a href="http://xerces.apache.org">Xerces Project</a>
+</td>
+<td>
+<a href="http://www.w3.org/TR">Web Consortium</a>
+</td>
+<td>
+<a href="http://www.oasis-open.org/standards">Oasis Open</a>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+<div id="navLeft">
+<ul>
+<li>
+<a href="resources.html">Resources</a>
+<br />
+</li>
+<li>
+<a href="../index.html">Home</a>
+</li></ul><hr /><ul>
+<li>
+<a href="index.html">Xalan-C++ 1.11</a>
+</li>
+<li>
+<a href="whatsnew.html">What's New</a>
+</li>
+<li>
+<a href="license.html">Licenses</a>
+</li></ul><hr /><ul>
+<li>
+<a href="overview.html">Overview</a>
+</li>
+<li>
+<a href="charter.html">Charter</a>
+</li></ul><hr /><ul>
+<li>
+<a href="download.html">Download</a>
+</li>
+<li>
+<a href="buildlibs.html">Build Libraries</a>
+</li>
+<li>
+<a href="install.html">Installation</a>
+</li>
+<li>
+<a href="builddocs.html">Build Documents</a>
+</li></ul><hr /><ul>
+<li>Sample Apps<br />
+</li>
+<li>
+<a href="commandline.html">Command Line</a>
+</li>
+<li>
+<a href="usagepatterns.html">Usage Patterns</a>
+</li></ul><hr /><ul>
+<li>
+<a href="programming.html">Programming</a>
+</li>
+<li>
+<a href="extensions.html">Extensions</a>
+</li>
+<li>
+<a href="extensionslib.html">Extensions Library</a>
+</li>
+<li>
+<a href="apiDocs/index.html">API Reference</a>
+</li></ul><hr /><ul>
+<li>
+<a href="faq.html">Xalan-C FAQs</a>
+</li></ul><hr /><ul>
+<li>
+<a href="whatsnew.html#bugs">Bugs</a>
+</li>
+<li>
+<a href="http://xml.apache.org/xalan-j/test/run.html#how-to-run-c">Testing</a>
+</li>
+<li>
+<a href="secureweb.html">Web Security</a>
+</li>
+</ul>
+</div>
+<div id="content">
+<h2>Xalan-C++ Samples</h2>
+<ul>
+  <li>
+<a href="#getstarted">Samples to help you get started</a>
+</li>
+  <li>
+<a href="#rebuilding">Rebuilding a Sample application</a>
+</li>
+  <li>
+<a href="#apachemodulexslt">ApacheModuleXSLT</a>
+</li>
+  <li>
+<a href="#compilestylesheet">CompileStylesheet</a>
+</li>
+  <li>
+<a href="#documentbuilder">DocumentBuilder</a>
+</li>
+  <li>
+<a href="#externalfunctions">ExternalFunctions</a>
+</li>
+  <li>
+<a href="#parsedsourcewrappers">ParsedSourceWrappers</a>
+</li>
+  <li>
+<a href="#serializenodeset">SerializeNodeSet</a>
+</li>    
+  <li>
+<a href="#simpletransform">SimpleTransform</a>
+</li>
+  <li>
+<a href="#simplexpathapi">SimpleXPathAPI</a>
+</li>
+  <li>
+<a href="#simplexpathcapi">SimpleXPathCAPI</a>
+</li>
+  <li>
+<a href="#streamtransform">StreamTransform</a>
+</li>    
+  <li>
+<a href="#threadsafe">ThreadSafe</a>
+</li>  
+  <li>
+<a href="#tracelisten">TraceListen</a>
+</li>        
+  <li>
+<a href="#transformtoxercesdom">TransformToXercesDOM</a>
+</li>
+  <li>
+<a href="#usememorymanager">UseMemoryManager</a>
+</li>
+  <li>
+<a href="#usestylesheetparam">UseStylesheetParam</a>
+</li>
+  <li>
+<a href="#xalantransform">XalanTransform</a>
+</li>
+  <li>
+<a href="#xalantransformercallback">XalanTransformerCallback</a>
+</li>
+</ul>
+
+<a name="getstarted">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Samples to help you get started</h3>
+<p>Each of the subdirectories in the Xalan-C++ samples directory contains the source files for a
+   sample application. The executables for the samples are in the build subdirectory, which should be on the system
+   path.</p>
+<p>With most of the samples, you can use the following procedure:</p>
+<ol>
+  <li>Go to the samples subdirectory containing the sample (use the DOS shell if you are running Windows)<br />
+<br />
+</li>
+  <li>Run the sample from the command line (as indicated below)<br />
+<br />
+</li>
+  <li>Examine the application source files. You may also want to modify the source files. Remember that if you
+      modify a .cpp file, you must rebuild the executable and place it on the path before you can run the
+      modified application.</li>
+</ol>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">Each sample application looks for input files in the current directory, the directory from
+      which you run the application. The input files are in the samples subdirectory along with the sample source
+      files. For the UNIX builds, application executables are in the bin subdirectory. For the Windows32 build, the
+      application executable is in the bin subdirectory (Xalan-C_1_11_0-&lt;my_Windows_distribution&gt;\bin). To run a 
+      sample, be sure the executable is on the path, and run it from the samples subdirectory that contains the input 
+      files.</td>
+</tr>
+</table>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">The most of the samples are implemented without providing a pluggable memory manager. The <a href="#simpletransform">SimpleTransform</a> sample illustrates, 
+      in addition to a simple transformation, the usage of the processor with memory manager</td>
+</tr>
+</table>
+
+
+
+<a name="rebuilding">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Rebuilding a Sample application</h3>
+<p>Instructions for rebuilding the samples differ depending on whether you are using the binary package or the source 
+package. </p>
+<p>For Windows users, the Xalan Visual C++ workspace contains project configurations for building 
+   each of the samples.  Users who have downloaded the source package, can find the XalanICU.dsw workspace
+   file under:<br />
+<br />     <code>Xalan-C_1_11_0-src\src\xalanc\Projects\Win32\VC6</code>
+   <br />
+<br />  and XalanICU.sln solution file under:<br />
+<br />
+        <code>Xalan-C_1_11_0-src\src\xalanc\Projects\Win32\VC7.1</code>
+
+   <br />
+<br />  Users who have downloaded the binary package, should use the Samples.dsw workspace file 
+   located under: <br />
+<br />     
+   <code>Xalan-C_1_11_0-&lt;my_Win32_distribution&gt;\Samples\Projects\Win32\VC6</code>
+<br />
+<br />
+   or the Samples.sln solution file for .NET V7.1 users, located under: <br />
+<br />     
+   <code>Xalan-C_1_11_0-&lt;my_Win32_distribution&gt;\Samples\Projects\Win32\VC7.1</code>
+<br />
+<br />
+</p>
+<p>The Makefile that comes with the UNIX distributions include targets for rebuilding one or all of 
+   the sample applications.  To rebuild one or more sample applications from the UNIX source package, 
+   go to the Xalan-C_1_11_0-src directory and run<br />
+<br />
+        <code>gmake <b>
+<i>Target</i>
+</b>
+</code>
+<br />
+<br />
+   where <b>
+<i>Target</i>
+</b> is <code>Samples</code> (all the samples), <code>ApacheModuleXSLT</code>, 
+   <code>CompileStylesheet</code>, <code>DocumentBuilder</code>, <code>ExternalFunctions</code>, 
+   <code>ParsedSourceWrappers</code>, <code>SerializedNodeSet</code>, <code>SimpleTransform</code>,  
+   <code>SimpleXPathAPI</code>, <code>SimpleXPathCAPI</code>, <code>StreamTransform</code>, 
+   <code>ThreadSafe</code>, <code>TraceListen</code>, <code>TransformToXercesDOM</code>, 
+   <code>UseStylesheetParam</code>, <code>XalanTransform</code>, or 
+   <code>XalanTransformerCallback</code>.</p>
+<p>To rebuild the samples from the UNIX binary package, go to the ../samples directory of your installation,
+   run the runConfigure utility for your target platform, and then run gmake.  For example, AIX users would 
+   issue the following command:<br />
+<br />
+        <code>./runConfigure -p aix -c xlc_r -x xlC_r</code>
+<br />
+        <code>cd samples</code>
+<br />
+<br />
+        <code>gmake <b>
+<i>Target</i>
+</b>
+</code>
+<br />
+<br />
+   where <b>
+<i>Target</i>
+</b> can be Samples (for building all samples), or the individual sample name as 
+   listed above.</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">For information on building Apache Module, see <a href="samples.html#apachemodulexslt">ApacheModuleXSLT</a>
+</td>
+</tr>
+</table>
+
+
+<a name="apachemodulexslt">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>ApacheModuleXSLT</h3>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">This sample must be built with the Apache Web server, and the Xalan-C++ distribution files do not include a binary
+      for ApacheModuleXSLT. Assuming you have installed the Apache server on your platform, you can use Visual C++ on Windows to
+      build ApacheModuleXSLT.dll, or the Makefile on UNIX to build xslt_module (with the appropriate library suffix).</td>
+</tr>
+</table>
+    
+<p>What it does: runs as an Apache module on an Apache Web server; performs transformations and returns the output to a Web
+   browser. You configure Apache to respond to a given URL request for an output file (html or txt file in the configuration below)
+   by applying an xsl stylesheet file to an xml document file (both with the specified name in a given location) and returning
+   the transformation output to the client.</p> 
+<p>This sample also illustrates use of the XalanTransformer class and the C API defined in src/XalanTransformer/XalanCAPI.h. It returns 
+   transformation output in blocks to a callback function, which enables the browser to start displaying the result before the transformation
+   has been completed.</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">You may need to adjust the Visual C++ or Makefile settings to locate the required Apache header files. As shipped, the Visual C++ 
+      project file looks in \Apache Group\Apache\src\include, and the UNIX Makefile looks in usr/lib.</td>
+</tr>
+</table>
+<p>To build the Apache module, follow the instructions in <a href="buildlibs.html#winbldenv">Steps for doing a Windows 
+   build</a> or <a href="buildlibs.html#unixbldenv">Steps for doing a UNIX build</a>. For UNIX platforms, you do the build with<br /> 
+   <code>gmake ApacheModuleXSLT</code>.</p>
+  
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h4>Setting up and using ApacheModuleXSLT</h4>
+<p>To use ApacheModuleXSLT, do the following:</p>
+<ol>
+  <li>(UNIX only) Be sure the Xalan and Xerces libraries are on your library path (you can accomplish this by copying them to
+      /usr/lib; see <a href="getstarted.html#path">Setting up the path/library path</a>), and copy the Apache module to 
+      /usr/lib/apache.<br />
+<br />
+</li>
+  <li>Add LoadModule and (UNIX only) AddModule entries to the Apache configuration file: httpd.conf.<br />
+<br />
+      Windows: <code>LoadModule xslt_module Xalan-C_1_11_0-&lt;my_Windows_distribution&gt;\bin\ApacheModuleXSLT.dll</code>
+<br />
+<br />
+      UNIX: <code>AddModule mod_xslt.c</code>
+<br />
+              and<br />
+              <code>LoadModule xslt_module /usr/lib/apache/mod_xslt.<b>
+<i>xx</i>
+</b>
+</code>
+<br />
+<br />
+      where <b>
+<i>xx</i>
+</b> is the appropriate library suffix for the UNIX platform ("so" or "a").<br />
+<br />
+</li>
+  <li>Add a &lt;Location&gt; entry to httpd.conf that indicates where xml/xsl file pairs are to be found, and what target file extensions
+      to recognize. We suggest the following:<br />
+<br />
+      <code>&lt;Location /xslt&gt;</code>
+<br />
+        <code>AddHandler mod_xslt .html</code>
+<br />
+        <code>AddHandler mod_xslt .txt</code>
+<br />
+      <code>&lt;/Location&gt;</code>
+<br />
+<br />
+      This &lt;Location&gt; element instructs the module to respond to requests for <b>
+<i>xxx</i>
+</b>.html and <b>
+<i>xxx</i>
+</b>.txt files in the 
+      in the xslt subdirectory (under the document root; see next item) by applying the <b>
+<i>xxx</i>
+</b>.xsl stylesheet to <b>
+<i>xxx</i>
+</b>.xml 
+      (both in that directory) and returning the transformation result to the browser.<br />
+<br />
+      For example, a request for foo.html instructs the module to apply foo.xsl to foo.xml and return the result.<br />
+<br />
+      Note: It is up to the stylesheet to apply the appropriate xsl:output method to the output. Whether the user specifies html or txt is, of
+      itself, immaterial.<br />
+<br />
+</li>
+  <li>Put xml/xsl file pairs in the &lt;Location&gt; subdirectory (xslt in the example)) under the document root directory specified in 
+      httpd.conf by the DocumentRoot and &lt;Directory&gt; settings. Alternatively, you can modify these settings to point to 
+      Xalan-C_1_11_0-&lt;my_UNIX_distribution&gt;/samples/ApacheModuleXSLT, which includes an xslt subdirectory with xml/xsl file pairs 
+      (foo.xml/xsl, apachemod.xml/xsl).<br />
+<br />
+</li>
+  <li>Start the Apache server.<br />
+<br />
+</li>
+  <li>From a Web browser, call the module with a URL as follows:<br />
+      <code>http://<b>
+<i>serverName</i>
+</b>/xslt/<b>
+<i>xxx</i>
+</b>.html</code>
+<br />
+      where <b>
+<i>serverName</i>
+</b> is the Apache server (such as www.myServer.com) and <b>
+<i>xxx</i>
+</b> is the name of an xml/xsl pair of files 
+      (such as foo.xml and foo.xsl) in the xslt subdirectory under the DocumentRoot directory.<br />
+<br />
+      For example,<br />
+      <code>http://www.myServer.com/xslt/apachemod.html</code>
+<br />
+      instructs ApacheModuleXSLT to apply the apachemod.xsl stylesheet to the apachemod.xml XML document (both files in the xslt directory 
+      under the Apache DocumentRoot directory) and return the transformation result to the browser.</li>
+</ol>
+
+
+  
+<a name="compilestylesheet">&#8204;</a>    
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>CompileStylesheet</h3>
+<p>What it does: Use a compiled stylesheet to perform a series of transformations.</p>
+<p>You can run it from the CompileStylesheet subdirectory with</p>
+<p>
+<code>CompileStylesheet</code>
+</p>
+<p>See also: <a href="usagepatterns.html#compiled">Compiling stylesheets</a>.</p>
+
+
+<a name="documentbuilder">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>DocumentBuilder</h3>
+<p>What it does: Use a DocumentBuilder to programmatically construct an XML document, apply the foo.xsl stylesheet to
+   this document, and write the ouput to foo.out.</p>
+<p>You can run it from the DocumentBuilder subdirectory with</p>
+<p>
+<code>DocumentBuilder</code>
+</p>
+
+
+<a name="externalfunctions">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>ExternalFunctions</h3>
+<p>What it does: implement, install, and illustrate the usage of three extension functions. The functions return a
+   square root, a cube, and a string with the current date and time. The sample stylesheet (foo.xsl) gets the area
+   of a cube and units of measurement from an XML document (foo.xml), computes the length of each side
+   of a cube and the volume of the cube, and enters the date and time of the transformation. The output appears in
+   foo.out.</p>
+<p>Run this sample from the ExternalFunctions subdirectory with</p> 
+<p>
+<code>ExternalFunctions</code>
+</p>
+<p>See also: <a href="extensions.html">Extension Functions</a>.</p>
+  
+  
+<a name="parsedsourcewrappers">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>ParsedSourceWrappers</h3>
+<p>What it does: performs a transformation with input in the form of a pre-built XercesDOM or XalanSourceTree.</p>
+<p>Run this sample from the ParsedSourceWrappers subdirectory with</p>
+<p>
+<code>ParsedSourceWrappers</code>
+</p>
+<p>See transformXercesDOM() and transformXalanSourceTree() as called by transform() in ParsedSourceWrappers.cpp.</p>
+
+
+<a name="serializenodeset">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>SerializeNodeSet</h3>
+<p>What it does: Serialize the node set returned by the application of an XPath expression to an XML document.</p>
+<p>Run this sample from the SerializeNodeSet subdirectory with</p>
+<p>
+<code>SerializeNodeSet <b>
+<i>XMLFile</i>
+</b> <b>
+<i>ContextNode</i>
+</b> <b>
+<i>XPathExpression</i>
+</b>
+</code>
+</p>
+<p>where <b>
+<i>XMLFile</i>
+</b> is an XML source file, <b>
+<i>ContextNode</i>
+</b> is the location path to the context
+   node, and <b>
+<i>XPathExpression</i>
+</b> is an XPath expression to apply to that context node. The SerializeNodeSet 
+   directory contains the same foo.xml sample source file as the preceding examples.</p>
+    
+
+<a name="simpletransform">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>SimpleTransform</h3>
+<p>What it does: The SimpleTransform class uses the foo.xsl stylesheet to transform foo.xml, and writes the
+   output to foo.out.  The source for this sample has been modified to demonstrate the usage of the new pluggable
+   memory management feature.</p>
+<p>You can run it from the SimpleTransform subdirectory with</p>
+<p>
+<code>SimpleTransform</code>
+</p>
+<p>See also: <a href="usagepatterns.html#xalantransformer">Basic procedures for performing XSL
+   transformations</a>.</p>
+
+  
+<a name="simplexpathapi">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>SimpleXPathAPI</h3>
+<p>What it does: Use the XPathEvaluator interface to evaluate an XPath expression from the specified context node of 
+   an XML file and display the nodeset returned by the expression.</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">You can use this sample as an aid when you want to find out what a given XPath expression returns from a
+      given context node in an XML file.</td>
+</tr>
+</table>
+<p>Run this sample from the SimpleXPathAPI subdirectory with</p>
+<p>
+<code>SimpleXPathAPI <b>
+<i>XMLFile</i>
+</b> <b>
+<i>ContextNode</i>
+</b> <b>
+<i>XPathExpression</i>
+</b>
+</code>
+</p>
+<p>where <b>
+<i>XMLFile</i>
+</b> is an XML source file, <b>
+<i>ContextNode</i>
+</b> is the location path to the context
+   node, and <b>
+<i>XPathExpression</i>
+</b> is an XPath expression to apply to that context node.</p> 
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">Keep in mind that the string value returned by an XPath expression is the string value of the first node in the 
+      nodeset returned by the expresssion.</td>
+</tr>
+</table>
+<p>The XPathWrapper subdirectory contains an XML file named xml.foo (part of it appears below).</p>
+<blockquote class="source">
+<pre>
+&lt;?xml version="1.0"?&gt;
+&lt;doc&gt;
+  &lt;name first="David" last="Marston"&gt;Mr. Marson&lt;/name&gt;
+  &lt;name first="David" last="Bertoni"&gt;Mr. Bertoni&lt;/name&gt;
+  ...
+  &lt;name first="Paul" last="Dick"&gt;Mr. Dick&lt;/name&gt;
+&lt;/doc&gt;
+</pre>
+</blockquote>
+<p>You can try command lines like</p>
+<p>
+<code>SimpleXPathAPI foo.xml /doc name/@last</code>
+</p>
+<p>and</p>
+<p>
+<code>SimpleXPathAPI foo.xml / '//name[position()="4"]/@first'</code>
+</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">If a SimpleXPathAPI argument includes characters (such as *) that the shell interprets incorrectly, enclose the argument 
+      in double quotes.</td>
+</tr>
+</table>
+<p>See also: <a href="usagepatterns.html#xpath">Working with XPath expressions</a>.</p>
+
+
+<a name="simplexpathcapi">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>SimpleXPathCAPI</h3>
+<p>What it does: Use the XPathEvaluator C interface to evaluate an XPath epxeression and display the string value returned 
+   by the epxression.</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">Keep in mind that the string value returned by an XPath expression is the string value of the first node in the nodeset 
+      returned by the epxresssion.</td>
+</tr>
+</table>
+<p>Run this sample from the SimpleXPathCAPI subdirectory with</p>
+<p>
+<code>SimpleXPathCAPI <b>
+<i>XMLFile</i>
+</b> <b>
+<i>XPathExpression</i>
+</b>
+</code>
+</p>
+<p>where <b>
+<i>XMLFile</i>
+</b> is an XML source file, and <b>
+<i>XPathExpression</i>
+</b> is an XPath expression to apply to the XML 
+   source file. The SimpleXPathCAPI subdirectory contains an XML file named xml.foo identical to foo.xml in the preceding 
+   example.</p>
+<p>You can try command lines like</p>
+<p>
+<code>SimpleXPathCAPI foo.xml /doc/name[3]</code>
+</p>
+
+  
+<a name="streamtransform">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>StreamTransform</h3>
+<p>What it does: The StreamTransform class processes character input streams containing a stylesheet and an XML document, and
+   writes the transformation output to a character output stream. This sample illustrates the process for working with stylesheets 
+   and documents that you assemble in memory.</p>
+<p>You can run it from the SimpleTransform subdirectory with</p>
+<p>
+<code>StreamTransform</code>
+</p>
+
+  
+<a name="threadsafe">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>ThreadSafe</h3>
+<p>What it does: Multiple threads use a single compiled stylesheet (StylesheetRoot) and DOM source tree (XalanNode) to perform
+   transformations concurrently. The application tracks the progress of the threads in messages to the console, and each thread
+   writes its own output file. Imagine a server application responding to multiple clients who happen to request the same
+   transformation.</p>
+<p>You can run it from the ThreadSafe subdirectory with</p>
+<p>
+<code>ThreadSafe</code>
+</p>
+<p>See also: <a href="usagepatterns.html#compiled">Compiling stylesheets</a>.</p>  
+
+
+<a name="tracelisten">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>TraceListen</h3>
+<p>What it does: Trace events during a transformation; the transformation uses birds.xsl to transform birds.xml and writes the
+   output to birds.out.</p>
+<p>You can run it from the TraceListen subdirectory with</p>
+<p>
+<code>TraceListen <b>
+<i>traceFlags</i>
+</b>
+</code>
+</p>
+<p>where <b>
+<i>traceFlags</i>
+</b> is one or more of the following:</p>
+<p>  <code>-tt</code> (Trace the templates as they are being called)</p>
+<p>  <code>-tg</code> (Trace each result tree generation event)</p>
+<p>  <code>-ts</code> (Trace each selection event)</p>
+<p>  <code>-ttc</code> (Trace the template children as they are being processed)</p>
+<p>These flags are also available in the <a href="commandline.html">command-line utility (TestXSLT)</a>.</p>
+<p>The core of this example is the following fragment:</p>
+<blockquote class="source">
+<pre>
+// Set up a diagnostic writer to be used by the TraceListener...
+XalanStdOutputStream  theStdErr(cerr);
+XalanOutputStreamPrintWriter  diagnosticsWriter(theStdErr);
+// Make sure that error reporting, which includes any TraceListener 
+// output does not throw exceptions when transcoding, since that could 
+// result in an exception being thrown while another exception is active.
+// In particular, characters that the TraceListener writes might not be 
+// representable in the local code page.
+theStdErr.setThrowTranscodeException(false);
+
+// Set up the TraceListener...
+// traceTemplates, traceTemplateChildren, traceGenerationEvent,
+// and TraceSelectionEvent are booleans set by the command line.
+TraceListenerDefault theTraceListener(
+        diagnosticsWriter,
+        traceTemplates,
+        traceTemplateChildren,
+        traceGenerationEvent,
+        traceSelectionEvent);
+
+// Add the TraceListener to the XSLT processor...
+theProcessor.setTraceSelects(traceSelectionEvent);
+theProcessor.addTraceListener(&amp;theTraceListener);
+
+// Perform the transformation
+....
+</pre>
+</blockquote>
+  
+    
+<a name="transformtoxercesdom">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>TransformToXercesDOM</h3>
+<p>What it does: Performs a simple transformation but puts the result in a Xerces DOMDocument</p>
+<p>Run this sample from the TransformToXercesDOM subdirectory with</p>
+<p>
+<code>TransformToXercesDOM <b>
+<i>XMLFile</i>
+</b> <b>
+<i>XSLFile</i>
+</b>
+</code>
+</p>
+<p>where <b>
+<i>XMLFile</i>
+</b> is a source XML file, and <b>
+<i>XSLFile</i>
+</b> is the XLST input file.  The program will use 
+   <b>
+<i>XSLFile</i>
+</b> to transform the input file <b>
+<i>XMLFile</i>
+</b> using Xerces DOM as the output destination.</p>	  
+<p>See the FormatterToXercesDOM usage in the sample code.</p>
+
+
+<a name="usestylesheetparam">&#8204;</a>    
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>UseStylesheetParam</h3>
+
+<p>What it does: Performs a transformation using top-level stylesheet parameters.  There are three supported types of parameters.  One is a text string.  A second is a number of type double.  A nodeset or parsed document can also be used.</p>
+
+<p>You can run it from the UseStylesheetParam subdirectory with</p>
+
+<p>
+<code>UseStylesheetParam <b>
+<i>xmlfile</i>
+</b> <b>
+<i>stylesheet</i>
+</b> <b>
+<i>outfile</i>
+</b> [options]</code>
+</p>
+
+<p>where the options are:</p>
+
+<p>
+<code>    -s key "'String-Value'"</code>
+<br />
+<code>    -n key Number</code>
+<br />
+<code>    -d key "Document-URL"</code>
+</p>
+
+<p>The files used by the sample program and the top-level parameter nodesets for this illustration are to be in working directory in which the sample program runs.</p>
+
+<p>Using the sample program:</p>
+
+<p>
+<code>UseStylesheetParam foo.xml foo.xslt foo.out \<br />
+    -s stringA "'This is a test string value'" \<br />
+    -n numberA  123.012345 \<br />
+    -d parmA "parmA.xml" \<br />
+    -d parmB "parmB.xml"</code>
+</p>
+
+<p>The <b>
+<i>parmA.xml</i>
+</b> and <b>
+<i>parmB.xml</i>
+</b> are parsed and converted to nodesets.  The stylesheet <b>
+<i>foo.xslt</i>
+</b> merges the contents of <b>
+<i>foo.xml</i>
+</b> and the parameters into the <b>
+<i>foo.out</i>
+</b> file.</p>
+
+<p>The source sample is implemented in C++.  Another example is implemented in 'C' using the XalanCAPI library <b>
+<i>TestCAPIparm.c</i>
+</b>.  The usage interface for both is the same.</p>
+
+<p>See also: <a href="usagepatterns.html#params">Setting stylesheet parameters</a>.</p>
+
+
+<a name="xalantransform">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>XalanTransform</h3>
+<p>What it does: XalanTransform uses the XalanTransformer class and the associated C++ API to apply an XSL stylesheet 
+   file to an XML document file and write the transformation output to either an output file or to a stream. XalanTransform 
+   takes command-line arguments for the XML document to be transformed, the XSL stylesheet to apply, and an optional output 
+   file argument. If you omit the third argument, XalanTransform writes the transformation output to a stream that is sent to 
+   standard out (the console).</p>
+<p>You can run XalanTransform from the XalanTransform subdirectory with</p>
+<p>
+<code>XalanTransform foo.xml foo.xsl foo.out</code>
+</p>
+<p>Omit the third argument to write the transformation result to the console. See also: <a href="usagepatterns.html#xalantransformer">Using the XalanTransformer class.</a>.</p>
+
+  
+<a name="xalantransformercallback">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>XalanTransformerCallback</h3>
+<p>What it does: Return transformation output in blocks to a callback function, which writes the output to a file.
+   This sample illustrates the use of a callback function to incrementally process a transformation result, that is to begin
+   working with the transformation result before the transformation has been completed. See <a href="usagepatterns.html#incremental">Processing output incrementally</a>.</p>
+<p>You can run it from the XalanTransformerCallback subdirectory with</p>
+<p>
+<code>XalanTransformerCallback foo.xml foo.xsl [foo.out]</code>
+</p>
+<table class="note">
+<tr>
+<td class="noteImg">
+<img src="resources/note.gif" alt="note" />
+</td>
+<td class="noteTxt">If you omit the third argument, the transformation result is written to the console.</td>
+</tr>
+</table>
+
+  
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+</div>
+<div id="footer">Copyright © 1999-2012 The Apache Software Foundation<br />Apache, Xalan, and the Feather logo are trademarks of The Apache Software Foundation<div class="small">Web Page created on - Fri 06/15/2012</div>
+</div>
+</body>
+</html>

Added: xalan/site/docs/xalan/xalan-c/secureweb.html
URL: http://svn.apache.org/viewvc/xalan/site/docs/xalan/xalan-c/secureweb.html?rev=1350856&view=auto
==============================================================================
--- xalan/site/docs/xalan/xalan-c/secureweb.html (added)
+++ xalan/site/docs/xalan/xalan-c/secureweb.html Sat Jun 16 03:57:36 2012
@@ -0,0 +1,586 @@
+<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
+<head>
+<title>ASF: XML Security Overview</title>
+<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
+<meta http-equiv="Content-Style-Type" content="text/css" />
+<link rel="stylesheet" type="text/css" href="resources/apache-xalan.css" />
+</head>
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the  "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ -->
+<body>
+<div id="title">
+<table class="HdrTitle">
+<tbody>
+<tr>
+<th rowspan="2">
+<a href="../index.html">
+<img alt="Trademark Logo" src="resources/XalanC-Logo-tm.png" width="190" height="90" />
+</a>
+</th>
+<th text-align="center" width="75%">
+<a href="index.html">Xalan-C/C++ Version 1.11</a>
+</th>
+</tr>
+<tr>
+<td valign="middle">XML Security Overview</td>
+</tr>
+</tbody>
+</table>
+<table class="HdrButtons" align="center" border="1">
+<tbody>
+<tr>
+<td>
+<a href="http://www.apache.org">Apache Foundation</a>
+</td>
+<td>
+<a href="http://xalan.apache.org">Xalan Project</a>
+</td>
+<td>
+<a href="http://xerces.apache.org">Xerces Project</a>
+</td>
+<td>
+<a href="http://www.w3.org/TR">Web Consortium</a>
+</td>
+<td>
+<a href="http://www.oasis-open.org/standards">Oasis Open</a>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+<div id="navLeft">
+<ul>
+<li>
+<a href="resources.html">Resources</a>
+<br />
+</li>
+<li>
+<a href="../index.html">Home</a>
+</li></ul><hr /><ul>
+<li>
+<a href="index.html">Xalan-C++ 1.11</a>
+</li>
+<li>
+<a href="whatsnew.html">What's New</a>
+</li>
+<li>
+<a href="license.html">Licenses</a>
+</li></ul><hr /><ul>
+<li>
+<a href="overview.html">Overview</a>
+</li>
+<li>
+<a href="charter.html">Charter</a>
+</li></ul><hr /><ul>
+<li>
+<a href="download.html">Download</a>
+</li>
+<li>
+<a href="buildlibs.html">Build Libraries</a>
+</li>
+<li>
+<a href="install.html">Installation</a>
+</li>
+<li>
+<a href="builddocs.html">Build Documents</a>
+</li></ul><hr /><ul>
+<li>
+<a href="samples.html">Sample Apps</a>
+</li>
+<li>
+<a href="commandline.html">Command Line</a>
+</li>
+<li>
+<a href="usagepatterns.html">Usage Patterns</a>
+</li></ul><hr /><ul>
+<li>
+<a href="programming.html">Programming</a>
+</li>
+<li>
+<a href="extensions.html">Extensions</a>
+</li>
+<li>
+<a href="extensionslib.html">Extensions Library</a>
+</li>
+<li>
+<a href="apiDocs/index.html">API Reference</a>
+</li></ul><hr /><ul>
+<li>
+<a href="faq.html">Xalan-C FAQs</a>
+</li></ul><hr /><ul>
+<li>
+<a href="whatsnew.html#bugs">Bugs</a>
+</li>
+<li>
+<a href="http://xml.apache.org/xalan-j/test/run.html#how-to-run-c">Testing</a>
+</li>
+<li>Web Security<br />
+</li>
+</ul>
+</div>
+<div id="content">
+<h2>XML Security Overview</h2>
+<ul>
+<li>
+<a href="#xsov_xmlParser">XML Parser Threats</a>
+</li>
+<li>
+<a href="#xsov_resolvEntity">Resolving External Entities</a>
+</li>
+<li>
+<a href="#xsov_trustEntity">Trusted External Entities</a>
+</li>
+<li>
+<a href="#xsov_piThreat">Processing Instruction (PI) Threats</a>
+</li>
+<li>
+<a href="#xsov_soapThreat">SOAP Simple Object Access Protocol</a>
+</li>
+<li>
+<a href="#xsov_wsdlThreat">WSDL Web Service Description Language</a>
+</li>
+<li>
+<a href="#xsov_uriThreat">URI Uniform Resource Identifiers</a>
+</li>
+<li>
+<a href="#xsov_urlThreat">URL Uniform Resource Locators</a>
+</li>
+<li>
+<a href="#xsov_malUtfStrings">Malformed UTF-8 and UTF-16 Strings</a>
+</li>
+<li>
+<a href="#xsov_canonicalXML">Canonical XML Issues</a>
+</li>
+<li>
+<a href="#xsov_xhtmlWorkaround">XHTML Output Mode - Workaround</a>
+</li>
+</ul>
+
+<br />
+<p>
+<b>This document goes well beyond XSLT. Use it as a general reference.</b>
+</p>
+<p>There are numerous security issues and problems that are 
+endemic to the XML architecture. 
+I will try to identify some of the most common issues and threats 
+and describe some mitigation strategies.
+</p>
+<p>The biggest threat issue is a matter of trust. 
+How well do you trust your sources of XML data? 
+What are the tools that can help increase the trust?
+</p>
+<p>Most Web Service communications uses HTTP over standard TCP ports. 
+The HTTP protocol on standard TCP ports has free access through business firewalls. 
+How well do your proxy servers handle the Web Service security issues 
+required for your applications?
+</p>
+<p>How well are your resource identifiers protected? 
+How well do your applications cope with resource identifier spoofing? 
+Can your resource identifiers be trusted by outside clients? 
+Can you trust the credentials of your clients?
+</p>
+<p>Will the SOAP interface for your Web Service send error messages 
+to an untrusted Web Service address?
+</p>
+<p>Is your WSDL interface description file readily available for download, 
+thus enabling persons with malicious intent to create targeted attacks on your Web Services?
+</p>
+<p>Can you trust the client credentials that use your Web Service application?
+</p>
+<p>There are numerous security issues that are not directly involved in 
+the markup of XML or its processing. 
+These issues relate to infrastructure.
+</p>
+<p>Can you trust your DNS (Domain Name Service) and reduce its vulnerability to hijacking?
+</p>
+<p>Are your web servers hardened against known application vulnerabilities?
+</p>
+<p>Are your applications hardened against 
+cross site scripting and SQL injection?
+</p>
+<p>Can your client applications trust the scripts 
+that are transmitted as web pages?
+</p>
+<p>Can your web server trust the scripts that are submitted?
+</p>
+<p>Is application data sanitized before being consumed by your applications?
+</p>
+
+<a name="xsov_xmlParser">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>XML Parser Threats</h3>
+
+<p>This list will help you find the XML threat vectors that need to be addressed.  
+Some vectors cannot be easily resolved.
+</p>
+<ul>
+<li>Resolving External Entities</li>
+<li>Implicit Trust of Internal DTD</li>
+<li>Resource Identifier Spoofing</li>
+<li>Malformed UTF-8 and UTF-16</li>
+<li>Secure the trust of external DTD descriptions</li>
+<li>Secure the trust of external Schema definitions</li>
+<li>Secure the trust of entity import and include constructs</li>
+<li>Configuration of Entity Resolver Catalogs</li>
+</ul>
+
+
+<a name="xsov_resolvEntity">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Resolving External Entities</h3>
+
+<p>The XML1.0 and XML1.1 standards specify a <code>DOCTYPE</code> format. 
+The processing may uncover significant entity resolver deficiencies.
+</p>
+
+<p>
+<code>&lt;!DOCTYPE name PUBLIC "public-id" "system-id" [internal-DTD]&gt;</code>
+<br />
+<code>&lt;!DOCTYPE name SYSTEM "system-id" [internal-DTD]&gt;</code>
+</p>
+<p>XML Parsers MUST process the <code>[internal-DTD]</code> if it exists.
+</p>
+<p>XML Parsers MAY process the external <code>"system-id"</code> if it can be found.
+</p>
+<p>XML Parsers MAY process the external <code>"public-id"</code> if it can be found.
+</p>
+<p>XML Parsers MAY prefer either the <code>"public-id"</code> or <code>"system-id"</code> 
+if both are specified.
+</p>
+<p>XML Parsers MAY ignore both the <code>"public-id"</code> and <code>"system-id"</code> 
+if present.
+</p>
+<p>Declaring a parameter entity notation <code>"%entity;"</code> 
+in the <code>[internal-DTD]</code> and expanding the content within the 
+<code>[internal-DTD]</code> will force the XML parser to import the content 
+referenced by the <code>"%entity;"</code> notation.
+</p>
+<p>Declaring a general entity notation <code>"&amp;entity;"</code> in the 
+<code>[internal-DTD]</code> and expanding the content within the body of 
+the XML document will force the XML parser to import the content referenced 
+by the <code>"&amp;entity"</code> notation.
+</p>
+<p>The default method of resolving external entities is by resolving entity 
+name strings relative to DNS named hosts and/or path names relative to the 
+local computer system.  When receiving XML documents from an outside source, 
+these entity reference locations may be unreachable, unreliable, or untrusted.
+</p>
+<p>Web Service SOAP XML documents MUST NOT have <code>DOCTYPE</code> definitions. 
+SOAP processors should not process DOCTYPE definitions. 
+The conformance is implementation dependent.
+</p>
+<p>
+<a href="http://www.w3.org/TR/soap">http://www.w3.org/TR/soap</a>
+</p>
+
+
+<a name="xsov_trustEntity">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Trusted External Entities</h3>
+
+<p>The <b>
+<i>OASIS XML Catalogs</i>
+</b> specification, if implemented by an application, 
+can specify a set of external entities that can be trusted by mapping known 
+identifiers to local or trusted resources.  A secure application should 
+not trust entity identifiers whose resources cannot be localized and secured.
+</p>
+<p>
+<a href="http://www.oasis-open.org/committees/entity">http://www.oasis-open.org/committees/entity</a>
+</p>
+<p>A similar method can be designed specifically for each application.
+</p>
+<p>A trusted application may need to pre-screen any entity definitions in XML 
+before passing the information into the core of the application.
+</p>
+<p>A trusted application should install some type of entity resolving catalog 
+or database that can be trusted.
+</p>
+
+
+<a name="xsov_piThreat">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Processing Instruction (PI) Threats</h3>
+
+<p>Processing instructions are a mechanism to send specific information 
+into an application.  A common processing instruction is a 
+stylesheet declaration.  
+This information is part of an XML document and comes usually 
+after the XML header and before the root element.
+</p>
+<p>A stylesheet declaration may cause an application to look for an 
+untrusted XSLT stylesheet to use for transformation of the 
+following root element.  A standard exists for associating style sheets with XML documents.
+</p>
+<p>
+<a href="http://www.w3.org/TR/xml-stylesheet">http://www.w3.org/TR/xml-stylesheet</a>
+</p>
+<p>Examples in the xml-stylesheet recommendation describes how to use the 
+processing instruction to associate CSS stylesheets for XHTML.  
+Applications that use XSLT transformations will interpret the 
+xml-stylesheet processing instruction as the location of a 
+XSLT transformation stylesheet.
+</p>
+<p>As more processing instructions become standardized and in common use, 
+their threat of misuse increases.
+</p>
+
+
+<a name="xsov_soapThreat">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>SOAP Simple Object Access Protocol</h3>
+
+<p>The SOAP specification explicitly forbids the transport of 
+DOCTYPE definitions and PI processing instructions.
+</p>
+<p>The SOAP specifies a transport envelope that encapsulates 
+an XML message for transport. SOAP can also handle various 
+transmission status indicators implying confirmation of delivery, 
+error messages, and queue status messages. 
+SOAP transports can be loosely coupled and intermittent. 
+SOAP is used extensively in the design and deployment of Web Service architectures. 
+A companion Web Service specification is WSDL, the Web Service Definition Language.
+</p>
+<p>The SOAP protocol as widely deployed by Microsoft and other vendors 
+is based on specifications that predate the adoption 
+by the <a href="http://www.w3.org">World Wide Web Consortium (W3C)</a>. 
+SOAP is not based on Microsoft technology. 
+It is an open standard drafted by UserLand, Ariba, Commerce One, Compaq, 
+Developmentor, HP, IBM, IONA, Lotus, Microsoft, and SAP. 
+<a href="http://www.w3.org/TR/2000/NOTE-SOAP-20000508">SOAP 1.1</a> 
+was presented to the W3C in May 2000 as an official Internet standard. 
+</p>
+<p>The original <a href="http://www.w3.org/TR/soap11">SOAP 1.1</a> standard 
+is associated with this URI namespace prefix.
+</p>
+<p>
+<code>http://schemas.xmlsoap.org/soap/</code>
+</p>
+<p>There are significant changes in naming conventions since SOAP 1.1 
+was adopted by W3C as a recommended standard. 
+The current iteration is <a href="http://www.w3.org/TR/soap12">SOAP 1.2</a> 
+and is associated with this URI namespace prefix.
+</p>
+<p>
+<code>http://www.w3.org/2003/05</code>
+</p>
+<p>The basic security threat to the SOAP architecture is 
+the ability to spoof Web Service addresses and telling a 
+SOAP server to respond to a rogue Web Service address 
+when a <code>mustUnderstand</code> attribute is processed 
+and an error indication is raised.
+</p>
+<p>Other intelligence that can be obtained might be the 
+location of a public accessible WSDL definition 
+of the messages being transported by SOAP, 
+thus allowing additional malware attacks to be automatically generated.
+</p>
+
+
+<a name="xsov_wsdlThreat">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>WSDL Web Service Description Language</h3>
+
+<p>WSDL is known as the Web Service Description Language. 
+The WSDL XML document is a an interface description that can be transformed 
+into various programming languages. 
+Such transformed interface descriptions are recognized as 
+Java Interfaces and C++ Virtual Classes.
+</p>
+<p>The original <a href="http://www.w3.org/TR/wsdl">WSDL 1.1</a> standard 
+is associated with this URI namespace prefix.
+</p>
+<p>
+<code>http://schemas.xmlsoap.org/wsdl/</code>
+</p>
+<p>The current <a href="http://www.w3.org/TR/wsdl20">WSDL 2.0</a> standard 
+is maintained by W3C in their namespace with prefix.
+</p>
+<p>
+<code>http://www.w3.org/</code>
+</p>
+<p>The WSDL can provide a template for generating a compliant Web Service systems 
+for multiple and hetrogeneous platforms.
+</p>
+<p>A WSDL document that can benefit developers can also be used by malware 
+and hackers to taylor specific threats against targeted Web Services.
+</p>
+<p>The SOA (Service Oriented Architecure), 
+SAAS (Software As A Service), 
+PAAS (Platform As A Service) are families of 
+Web Services used as interfaces into what is 
+generally known as Cloud Computing.
+</p>
+
+
+<a name="xsov_uriThreat">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>URI Uniform Resource Identifiers</h3>
+
+<p>The URI does not need to specify the location of a resource. 
+It merely provides a resource name. A catalog, database, 
+or other mechanism is used to map URIs to resource locations.
+</p>
+<p>The security issue here is that most URIs are used with a 
+DNS (Domain Name Service) to find a host and path to a resource. 
+The URI is then treated as a URL (Uniform Resource Locator).
+</p>
+<p>The mitigation of these threats requires diligence of the 
+application architects to ensure an appropriate level of trust 
+for the URIs and URLs used in their applications.
+</p>
+<p>The transmission media is inherently untrusted. 
+Often SOAP bindings and HTTP transports are used. 
+Web Service addressing is readily spoofed.
+</p>
+
+
+<a name="xsov_urlThreat">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>URL Uniform Resource Locators</h3>
+
+<p>See: <a href="#xsov_uriThreat">URI Uniform Resource Identifiers</a>
+</p>
+
+
+<a name="xsov_malUtfStrings">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Malformed UTF-8 and UTF-16 Strings</h3>
+
+<p>Public Key Infrastructure (X.509) certificates are leased from a 
+certificate authority or are self-signed. 
+The distinguished names and parts thereof are usually rendered in unicode.
+</p>
+<p>The value of zero is not a valid Unicode character. 
+It is possible to create non-zero UTF-8 and UTF-16 sequences that equate to zero, 
+which is not allowed. 
+Some rogue hackers have successfully obtained wild-card PKI (X.509) certificates 
+by prepending a UTF-8(zero) in a distinguished name when applying for a certificate. 
+Such a certificate could be used to successfully sign anything.
+</p>
+<p>Applications should not blindly accept UTF-8 and UTF-16 strings 
+without verifying the proper encoding for those strings. 
+Contents that equate to bad Unicode character values should be denied.
+</p>
+
+
+<a name="xsov_canonicalXML">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Canonical XML Issues</h3>
+
+<p>Canonical XML is a tranformation of an XML document into a 
+canonical form useful for signing. 
+This is used in some Web Service security implementations.
+</p>
+<p>There are several areas where Canonical XML will create XML documents 
+that have severe application problems.
+</p>
+<p>The number values are rendered in Base-10 as decimal fractions. 
+The computations performed by computers are usually in Base-2 floating point arithmetic. 
+You therefore have truncation or roundoff issues when converting between 
+decimal fractions and Base-2 fractions.
+</p>
+<p>The canonical process may collapse whitespace and transform 
+multi-character line endings to single-character line endings. 
+When whitespace is significant, the canonical issues for signing can cause problems.
+</p>
+<p>It is possible to create XHTML documents that will not work with some browsers. 
+The empty &lt;a/&gt; anchor element is not allowed by many browsers, 
+therefore &lt;a&gt;&lt;/a&gt; is required. 
+A standard XML canonical process may collapse elements with no content into empty elements. 
+The empty paragraph&lt;p/&gt; is disallowed.  The &lt;p&gt;&lt;/p&gt; is supported.
+</p>
+<p>The World Wide Web Consortium (W3C) has additional detailed discussion of 
+<a href="http://www.w3.org/TR/C14N-issues/">canonicalization issues</a>.
+</p>
+
+
+<a name="xsov_xhtmlWorkaround">&#8204;</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>XHTML Output Mode - Workaround</h3>
+
+<p>The Xalan-C/C++ library currently has no XHTML output mode.
+Since XHTML is to be well-formed XML, the desire is to use the XML output method.
+</p>
+<p>XHTML is based on HTML version 4.
+</p>
+<p>Empty elements declared by HTML-4 should have a space before the 
+trailing '/&gt;' markup (i.e. &lt;br /&gt; and &lt;hr /&gt;). 
+XML output mode does not normally have this space when using 
+the &lt;xsl:element name="br" /&gt; in your stylesheet. 
+Most modern browsers are ok with no space, but viewing the 
+browser source shows a warning condition.
+</p>
+<p>Non-empty elements declared by HTML-4 should not be rendered as empty XML elements. 
+If there is no content, the elements should be rendered with both a start-tag and end-tag 
+(i.e. &lt;a name="xxx"&gt;&lt;/a&gt;) instead of an XML empty-element. 
+XSLT processors usually create an empty-element 
+(i.e. &lt;a name="xxx"/&gt;) when the element being defined has no content 
+other than attributes.
+</p>
+<p>For XSLT processors creating XML documents for XHTML, 
+you can create what looks like an element with no content by including 
+the &amp;#8204; character 
+(a zero-width non-joining character often known as &amp;zwnj;) 
+as the element text content. 
+This also allows transitional browsers the ability to find the end tag.
+</p>
+<p>
+<blockquote class="source">
+<pre>  DTD    &lt;!ENTITY zwnj    "&amp;#8204;"&gt;
+
+  &lt;a name="marker"&gt;&amp;zwnj;&lt;/a&gt;</pre>
+</blockquote>
+</p>
+<p>Transitional XHTML is not usually well-formed XML. 
+It becomes a mix of HTML version 4 and XML markup. 
+Strict XHTML is required to be well-formed XML.
+</p>
+
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+</div>
+<div id="footer">Copyright © 1999-2012 The Apache Software Foundation<br />Apache, Xalan, and the Feather logo are trademarks of The Apache Software Foundation<div class="small">Web Page created on - Fri 06/15/2012</div>
+</div>
+</body>
+</html>



---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-cvs-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-cvs-help@xml.apache.org


Mime
View raw message