XML Generation

 

Extensible Markup Language (XML) is the next generation of Java object storage.  It has replaced the deprecated Serialization and Deserialization APIÕs and is currently the supported method of storing instances of objects.  XML is a markup language so tags of the form <É>, </É> are used to open and close information fields within a XML document.  The Java Architecture for XML Binding (JAXB) [21] presents the standard method for storing instances of objects (ÒmarshallingÓ) in XML and creating instances of objects (ÒdemarshallingÓ) from a XML document.  Marshalling and Demarshalling can be done with a set of classes that can be automatically generated from a XML schema document.  A XML schema document dictates the form of the tags and how the information in a given object is to be stored in XML.  With the classes that are generated from this document one can archive an instance of a class into an XML document.  The reverse of this process is also possible.  Given an XML document in the proper form an instance of a class can be created as dictated by the values of the XML fields. 

This system generates the same security problems as serialization.  However, the simplicity of the XML language and range of its use lead to even easier abuse.  In serialization the information was stored in a binary array, the information was very accessible but it still had to be translated from binary into usable form.  In XML information about an object is stored in a very easy to read markup language.  The nature of the language dictates the presence of tags that define what the enclosed data refers to.  There is no longer the extra step of decoding the byte array generated by serialization; the information is stored in plain English.

The parallel problem to deserialization also exists.  By the nature of XML generating documents in XML form is very simple.  It is only a matter of generating the proper tags in the right order.  Once this format has been discovered (or simply obtained from a XML schema document) it is very easy to generate an ÒarchivedÓ version of an object with the stored variable values of your choosing.  This XML document can then be used to introduce an object in an insecure state back into an application through the demarshalling process.  It would also be possible to introduce multiple instances of an object whose uniqueness is essential to the integrity or security of the application.  Such an example would be a duplicate security manager or multiple username/password databases. [6]

The solution to this problem is not a trivial one if you want to use XML as a way to archive your files.  If this is to be done, then the output stream of the XML generation must be stored in an encrypted format.  This is done by creating another XML document that specifies the encryption type and then stores the encrypted data, without reference to what type of information is stored within the document.  The process of encrypting and decrypting data will slow down the processing time for both the archiving of objects and the subsequent retrieval, making it a costly option.  [21]