Chapter 4 XML Processing
When relying on the schemas to which documents internally declare they are
conforming (through a DTD declaration or an XSD hint), for security and to avoid
external malicious modification, you should keep your own copy of the schemas
and validate against these copies. This can be done using an entity resolver, which
is an interface from the SAX API (
), that forcefully
maps references to well known external schemas to secured copies.
To summarize these recommendations:
Validate incoming documents at the system boundary, especially when docu
ments come from untrusted sources.
When possible, enforce validation up front against the supported schemas.
When relying on internal schema declarations (DTD declaration, XSD hint,
and so forth):
Reroute external schema references to secured copies.
Check that the validating schemas are supported schemas.
4.3.4 Mapping Schemas to the Application Data Model
After defining the application interface and the schemas of the documents to be con
sumed and produced, the developer has to define how the document schemas relate
or map to the data model on which the application applies its business logic. We
refer to these document schemas as external schemas. These schemas may be spe
cifically designed to meet the application's requirements, such as when no preexist
ing schemas are available, or they may be imposed on the developer. The latter
situation, for example, may occur when the application intends to be part of an inter
acting group within an industry promoting standard vertical schemas. (For example,
UBL or ebXML schemas.)
Mapping Design Strategies
Depending on an application's requirements, there are three main design strategies
or approaches for mapping schemas to the application data model. (See Figure 4.4.)
1. An out to in approach The developer designs the internal data model
based on the external schemas.
2. A meet in the middle approach The developer designs the data model
along with an internal generic matching schema. Afterwards, the developer de