?
Solved

remote xsl security problem

Posted on 2004-09-14
13
Medium Priority
?
2,765 Views
Last Modified: 2011-10-03
Using MSIE 6.0; WinXP SP1; MSXML3 (3/19/04)

I am trying to display an xml page with an imbedded style sheet.  Meaning with the statements:

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl"?>

A) From my local machine (at philh.staff.astrology.com) , I get a security warning dialog box that says:

Internet Explorer
This page is accessing information that is not under its
control. This poses a security risk. Do you want to continue?
Yes / No

If I click Yes, the XML page renders properly.  I get no further warnings (for other XML pages) during the same session.

B) From a remote machine (at saturn.staff.astrology.com), I get the following error message and cannot continue.

The XML page cannot be displayed
Cannot view XML input using XSL style sheet.
Please correct the error and then click the Refresh button, or try again later.
--------------------------------------------------------------------------------
Access is denied. Error processing resource 'http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl'.


I can live with the warning dialog (but would prefer not to) but I need to overcome the error message.

Thank you,
Phil Henningsen

0
Comment
Question by:PHenningsen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:zulu_11
ID: 12063470
the problem is of security..when u access the file from your remote location *saturn.staff.astrology.com*...the XML has the instruction to use the XSL from *http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl*...now i'm very sure that this is not accessible to the PUBLIC as such so...when the system does a request to this file..it gets a security access failure and hence the error..

One workaround could be that..u can place the XSL file locally on the remote machine...a place where the PUBLIC can access the XSL file or you can give the permission to the file from your system..the choice is yours..

Zulu
0
 
LVL 6

Expert Comment

by:zulu_11
ID: 12063672
i was going through other question and came across this Question

http://www.experts-exchange.com/Web/Web_Languages/XML/Q_21107281.html

i think this maybe another workaround for your problem..

Zulu
0
 

Author Comment

by:PHenningsen
ID: 12068057
A) I do NOT want to distribute the XSL to each local machine.  I want ONE shared XSL.  Yor said "you can give the permission to the file from your system".  OK.  HOW???  Please be specific.  I have tried....

B) Re your 2nd comment:  Mike Sharp ends with "I would suggest server-side transformation."  OK  HOW???  Please be specific.

Phil
0
Basic Security of Your VPC

So, you’ve got this shiny new VPC and a fancy new application configured on your EC2 servers ready to go. This application is only accessible from your computer, which is great for security, but you need your users to be able to access it! So, what’s the easiest way to do this?

 
LVL 26

Expert Comment

by:rdcpro
ID: 12069191
Server-side transformation means the the XML/XSLT transformation is done on the server, and HTML is sent to the client.  This allows all browsers to be supported.  Also, it allows you to cache pre-compiled XSLT, set parameters on the server prior to transformation, and other nice things.  Exactly how would depend on your server platform.  

The cross-domain data access issue you're having can be resolved one of several ways.

1.  place the XSLT in a central location on your server, and use redirection or server-side aggregation to make it appear to be served from whatever domain the request is executing from.  So, if you're looking at an XML document served over HTTP from philh.staff.astrology.com, there is some server-side code that retrieves the XSLT from whereever it's stored and serves it to the client.  Exact method depends on platform, but this is how RSS news aggregation works.  Your server uses HTTP to get a copy of the resource, caches it locally, and uses the copy whenever necessary.  Or maybe you don't cache it, but live with the latency of client requests from Server A, who requests from Server B, who responds to Server A who responds to Client.

2. place your XSLT on a site in the intranet that is "trusted".  You can instruct IE to add the trusted site manually (Tools > Internet Options > Security > Trusted Sites > Sites...add to trusted sites) or if you're in a windows domain, you can set a domain security policy that does this.

3.  Use server-side transformation.  Exactly how depends on the platform, but let's say for example it's ASP.  This example shows how to cache the pre-compiled XSLT for optimum performance:

http://rdcpro.com/Members/rdcpro/snippets/cachingtemplates/

The transformation sends the HTML result directly to the client.  

4. Embed the XSLT in the XML, according to my suggestions in

http://www.experts-exchange.com/Web/Web_Languages/XML/Q_21107281.html

Personally, I think server-side transformation is the simplest...especially when the application must be cross-browser.

Regards,
Mike Sharp
0
 
LVL 26

Expert Comment

by:rdcpro
ID: 12069221
By the way, the issue isn't because the location at http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl isn't accessible to the public, but that a resource loaded from Domain A cannot access resources in Domain B.  This is called Cross-domain Data Access; it's a security risk and you can set your IE security settings to various values that either disable it, prompt before allowing, or basically allow it.  You should only allow cross domain data access to sites you trust, so don't ever set  the Internet zone to "allow".  

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
ID: 12069647
1. I would prefer to do server-side transformation....  However, I am working with totally Windows-centric, non-Java servers.  Is there a way in that environment?

2. Re cross-domain data access.  The XSL *is* in a central & trusted (by my definition) location.  I just can't get IE to trust it.  From my machine (philh.staff.astrology.com), under Internet Options > Security > Trusted Sites, I have added both "thor8.blue.astrology.com" and "http:thor8.blue.astrology.com".  My "reward" is the ERROR message
  The XML page cannot be displayed
  Cannot view XML input using XSL style sheet.
  Please correct the error and then click the Refresh button, or try again later.
  --------------------------------------------------------------------------------
  Access is denied. Error processing resource 'http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl'.

If I Remove *everyone* from Trusted sites, I get the WARNING message
  Internet Explorer
  This page is accessing information that is not under its
  control. This poses a security risk. Do you want to continue?
  Yes / No

If I click Yes, the XML page renders properly.  I get no further warnings (for other XML pages) during the same session.

Under Internet Options > Security "Custom Level..." most options are Enabled, a couple are Prompt and nothing is Disabled.  This goes for the first three zones.  And there are no Restricted sites.

[ Again: Using MSIE 6.0; WinXP SP1; MSXML3 (3/19/04) ]

Thanks for your help,
Phil Henningsen
0
 
LVL 26

Expert Comment

by:rdcpro
ID: 12069991
Oh, well if it's windows centric, server side transformation is no problem, and is by far the preferable approach IMHO.

Is the server ASP.NET or ASP?  Windows 2000 or Windows 2003?  

Regards,
Mike  Sharp
0
 

Author Comment

by:PHenningsen
ID: 12070189
Server OSs are Win2K, although I run WinXP on "my" machine.
IIS is 5.?  (5.0 on Win2K, 5.5 on WinXP... is that about right?)
We have steered away from ASP (I don't know the diff between ASP and ASP.NET)
Most local programming is done in Delphi.
0
 
LVL 26

Expert Comment

by:rdcpro
ID: 12071078
Oh, I thought you were running this as a "web site".  You are doing this as a windows application?  Your Delphi application is acting as a web server?

I'm not really conversant in Delphi, but you can use (as far as I know) the same COM objects.  The simplest transform would be (using Javascript on the server, meaning in an application and not in the browser):

var xmlDoc = new ActiveXObject("Msxml2.DomDocument")
xmlDoc.load("file system path to XML document")
var xslDoc = new ActiveXObject("Msxml2.DomDocument")
xslDoc.load("file system path to XML document")

OutputString = xmlDoc.transformNode(xslDoc)

then you write the string where ever you want.  Using the XSLTemplate processor is better, though, and allows you to set parameters and transform to streams.  But you can transform to a stream with:

OutputStream = xmlDoc.transformNodeToObject(xslDoc)

Now, there might be another possibility, given your unusual situation.  I wouldn't ordinarily recommend this, because it's not practical for delivery over the interenet, but you can use HTML Applications.  These run with elevated security permissions, and they're basically an HTML page with an *.hta extension.  You ordinarily load them from your filesystem or a network share, but they can be delivered from a web server, except there is a security warning.  For an example of how to do client-side transformations across domains like this, visit my web site at:

http://rdcpro.com/Members/rdcpro/tools

and download the HTA version of my transformation tool, called transformToolSave.zip.  

This runs in client side javascript, and you can do some pretty fancy stuff this way on the client.

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
ID: 12071286
Yes, my final target is a Delphi application, part of which acts as a web server.  (Delphi has a TWebBrowser component that wraps the IWebBrowser2 interface from Microsoft’s SHDOCVW.DLL)

However, the same problem exists using MSIE directly to display the XML file.

It's going to take me a bit to digest your last posting.

Meanwhile, back to cross-domain data access, how do I set the Security properties to eliminate the Error message?

TIA,
Phil
0
 
LVL 26

Accepted Solution

by:
rdcpro earned 2000 total points
ID: 12071380
That error message sounds like an authentication or authorizaton issue, from the server side.  If you download that tool I mentioned,  you should be able to see the response code...I'm betting you get a 401.1, 401.2 or 401.3 or something.  If the tool doesn't show you the code, you can use the xmlHttp.getAllResponseHeaders method and pop an alert to display them in the browser.  You can also pop up the xmlHttp.responseText, or look directly at the status code.  For example, add an alert:

alert(xmlHttp.status + "\r\n" + xmlHttp.statusText)


When a site is trusted, I believe IE will present a hash of your credentials, but other than that it shouldn't be any different than if the site was not trusted.  It sounds like something at the server is refusing to honor the request in this instance.  Are you authenticated in an Active Directory domain?

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
ID: 12079815
It's a nifty tool.  I'll have to play with it more in the future.

Meanwhile, I have apparently Enabled the applicable Security Setting (what a "zoo" that is) so I no longer get an Error.

Thanks very much for your help!
0
 

Expert Comment

by:cyric_74
ID: 12831130

PHenningsen,

You say you enabled the security setting you needed to get this working..  What was it!?!
I'm giong through that same grief right now.

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Problem How to write an Xquery that works like a SQL outer join, providing placeholders for absent data on the outer side?  I give a bit more background at the end. The situation expressed as relational data Let’s work through this.  I’ve …
The Confluence of Individual Knowledge and the Collective Intelligence At this writing (summer 2013) the term API (http://dictionary.reference.com/browse/API?s=t) has made its way into the popular lexicon of the English language.  A few years ago, …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month13 days, 2 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question