About the Mead & Company Security Manager

SECURITY MANAGER TECHNICAL DATA
Copyright 1998 - 2008 Mead & Co Limited
feedback@meadroid.com

~ Lifetime Management ~

The Security Manager object:

Security Manager is a non-visual object and should be instantiated in the <HEAD> or <BODY>section of a document as early as possible. Here is an example of a Security Manager object which validates ScriptX's advanced printing:

<!-- MeadCo Security Manager -->
<OBJECT ID="secmgr"
  CLASSID="CLSID:5445be81-b796-11d2-b931-002018654e2e"
  codebase="smsx.cab#Version=6,4,438,19">
  <param name="GUID" value="{unique value assigned by MeadCo}">
  <param name="Path" value="sxlic.mlf">
  <param name="Revision" value="0">
</OBJECT>

Note that the only parameters taken by the Security Manager object are the Globally Unique ID of the publishing license (which is issued by Mead & Company), the relative or absolute path to the .MLF license file itself, and a Revision value.

About the .MLF license file:

The unique attributes of each publishing license are written out as XML and 'wrapped' in a container which is then signed by Mead & Company's own Verisign keys. Security Manager checks the validity of that signing, and if it is found to be corrupt (i.e. if the contents of the license file have been changed or tampered with) then Security Manager will warn the user and not allow the protected content to be run.

Here is an example of an MLF file with all tags and attributes shown:

<LICENSE GUID="{66dad620-f085-11d2-b933-002018654e2e}"
   PUBLISHER="Mead & Company"
   URL="http://www.meadroid.com/"
   FROM="1/1/1999" TO="1/2/2007"
   REVISION="0"
   AUTO="false">
   <TITLE INFO="info.htm"
	  URL="http://www.meadroid.com/superapp/intro.htm"><b>Super</b> App</TITLE>
   <DOMAINS ZONES="7" SUBDIRS="true">
      <DOMAIN ZONES="1" NAME="file://{mapping}"/>
      <DOMAIN NAME="http://local-server/"/>
      <DOMAIN SUBDIRS="false" NAME="http://www.public-server.com/superapp/"/>
   </DOMAINS>
   <PERMISSION XACCESS="true" BROWSER="true" SHELLEXEC="false" PRINTING="true">
      <!-- DHTML Edit -->
      <OBJECT CLASSID="{2d360200-fff5-11d1-8d03-00a0c959bc0a}"/>
   </PERMISSION>
</LICENSE>

Key to MLF tags and attributes:

<LICENSE> General license information. Contains <TITLE>, <DOMAINS> and <PERMISSION>. Attributes are:

GUID: The globally unique id of the license, assigned by Mead & Company.
PUBLISHER: The name of the license holder that will appear in the 'Publisher' field of the SM dialog.
URL: The location -- on the Publisher's web site -- of further information about the Publisher.
FROM/TO: The period of validity of the license.
REVISION: The revision number of the license with the given GUID. A revision (for example, in the case of the later addition of new licensed domains) will lead SM to prompt a user to accept the license again.
AUTO: When enabled will allow silent acceptance of the license if all other conditions are met. Available for Intranet licensing only.

<TITLE> Information on the web application (if appropriate) licensed by SM. The inner text of the <TITLE> container is the name of the product title. Attributes are:

INFO: A descriptive inline HTML file, compiled into the MLF.
URL: The url of the product's web site.

<DOMAINS> The requested domain(s) to which the content will be bound. Contains zero or any number of <DOMAIN> tags. Attributes (which define the default values for the inner <DOMAIN> tags) are:

ZONES: The bitfield of allowed IE Security zones, used by Mead & Company to control intranet, internet or local licensing. All but "Restricted Sites" are allowed by default. See below.
SUBDIRS: Determines whether or not subfolders may reference this MLF. True by default.

<DOMAIN> A single domain. Attributes are:

ZONES: A bitfield. Each domain may have a discrete zone set (the default is provided by the parent <DOMAINS> tag). When the url of a given domain is considered, its zone number provided by IE is matched to this bitfield. By default the url may be in any zone except local, to disallow a prompt for local content from the internet. Bits are:
NAME: A specific domain url used for local (file:) content which enables SM to validate local licensing. When a web application's Setup program installs files to a directory it will write the path to a given SM License registry key. At first launch SM will read the key and map it to the url {..} specified by <NAME>. In this way, if files are moved or if some page not in the path tries to use the MLF, SM will generate an alert.
SUBDIRS: Subfolders of the url, considered to part of the domain. True by default.

<PERMISSION> The objects and system access that this license is asking a user to accept. Contains zero or any number of <OBJECT> tags. Attributes are:

XACCESS: Cross-domain scripting.
BROWSER: Access to underlying IWebBrowser2 host and "InternetExplorer.Application" automation objects and all of their events and properties.
SHELLEXEC: The ability to launch a local program or document. A powerful option with broad application scope when used in combination with Zeepe but requiring a high degree of trust. Hence available for Intranet licensing only.
PRINTING: Enables ScriptX extended printing. ScriptX 'talks' to SM to check for this value.
PRINTTEMPLATE: Provides access to IE 5.5 custom print templates from script.
ZPM: Enables the delivery of 'basic' Zeepe-hosted content from the 'bound' addresses.
ZPA: A Zeepe-specific flag which allows fully-trusted Zeepe-enabled content to intercommunicate between the 'bound' domains (i.e. cross-domain working).
ZPX: Enables and provides access to the properties, methods and events of a Zeepe-specific frame-like object which behaves like a top-level WebBrowser control.
ZPS: A Zeepe-specific flag which enables the application of shaping (vector or masking) to the Zeepe custom host.
FRAMEBROWSER: A Zeepe-specific flag which provides access to the automation object of Microsoft Office® documents hosted in inline frames.

<OBJECT> A single, potentially 'unsafe' ActiveX object to bind to the requested domain(s). Attributes are:

CLASSID: The clsid of the requested object.

Important Note:

Above we list details of all current MLF tags and attributes to indicate the power and potential of Security Manager's publishing license schema. Please note, though, that none of these tags or attributes can be directly modified by a licensee. Each SM-based publishing license is generated individually to meet the specific requirements of a named customer, and is signed before issue with Mead & Company's own Verisign keys. As such, each license is unique and inherently secure.