Subject: Linking with security

Charles Reitzel creitzel at mediaone.net
Fri Aug 20 09:18:12 BST 1999


Presuming that XML is *not* the native storage format for the data, simply
filter it out server side when generating the XML in the first place.  If
you must use an external entity, couldn't it be empty or contain an
innocuous element (e.g. <DoNotDisplay/>) that is thrown away during HTML
rendering?

Also, top level attributes of the EmployeeDatabase element like
hasHistory="1" hasLeave="1" hasDiscipline="0" may simplify stylesheet and/or
javascript logic used to generate (or not) the appropriate headers, borders,
etc. for each section of the HTML "report".

For this truly sensitive data, I presume also that you are not using basic
authentication?  As you probably know, both Netscape and IIS web servers
have pretty decent support for client certificate based authentication based
on SSL.

Hope this helps,
Charles Reitzel

On Tue, 10 Aug 1999, Wendy Cameron wrote:
>Subject: Linking with security
>
>Essetially what i have is as follows
><EmployeeDatabase>
>	<Employee ServiceID="1">
>		<History>
>			various history stuff
>		<History>
>		<Leave>
>			varoious leave stuff
>		<Leave>
>		<Discipline>
>			varoiuos discipline stuff
>		<Discipline>
>	</Employee>
></EmployeeDatabase>
>
>I have group of users that have access to all the
>information about employees.  Within this group of
>employees I have a sub set that have permission to
>see disciline details.
>
>when the user hits the web site the user is Authenticated
>and it is known what type of user it is.
>Based on this knowledge I want to
>If user has access to discipline
>	Show Discipline
>else
>	Dont show discipline
>End
>
>Weve thought of using Entity References to date if the
>discipline file to which the entity refers does not exist
>then we get no XML what so ever when we actuall want
>every thing else but the discipline or except the entity
>that is referenced. (Ohh im using IE5)  This is not suitable
>
>Im thinking maybe I could write an IE5 behaviour that retrieves
>the discipline xml parses it and adds it to the employee xml if
>it is available to this user and then retransforms.
>
>Problem with this is i dont know how to acheive it quite.  Im aware
>I can assign behaviors to xml but are they activated (or how can 
>they be activated) when parsed into a ActiveX xml dom?
>
>Does anyone have any suggestions?
>
>


xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev at ic.ac.uk
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo at ic.ac.uk the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo at ic.ac.uk the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa at ic.ac.uk)





More information about the Xml-dev mailing list