Today is NOT my day for things just working. Besides the demo gods eating every demo I did today and presenting me with excrement to work with, I found out that the super cool WSS audience targeting is broken on every browser except IE :( There is no use in complaining so silver lining is that I do get a chance to solve the problem and learn something new about browsers.
First off is that XmlHttpRequest is supported by all browsers, the XML DOM implementation is not compatible so even though you can get the data you can’t work with it easy. The cause is that Firefox or Chrome do not support selectNodes or selectSingleNodes methods or IE has unique methods which no other browser supports (depending which camp you are in). selectSingleNode is what I use to parse my results! To solve this I found some code at http://km0.la/js/mozXPath/ which adds the methods to the JavaScript classes! This is great in theory but it didn’t work because I have a default namespace being returned by my XML! The code I found didn’t work as selectSingleNode always returned null because it needed the namespace prefix on the XPath (i.e. /default:user) which IE can’t work with. So that meant not only implementing a new resolver which I found out about on developer.mozilla.org, it also meant doing a check and doing two XPath queries.
Something I didn’t mention in the first post is security and how secure or insecure this method is. Your biggest attack vector on this is that it runs client side and that the LoadXmlDoc method or even just the length check on the username can be changed easily so that it shows the content for logged in users to users who are not logged in! Basically it is not secure, but it doesn’t mean it opened a security hole because so you need to think about what is shown.In my case I made sure what is show is the bare minimum, just links to other pages. If an attacker gets the link they shouldn’t it does not worry me because the change password page, which signed in people can click to, is protected by WSS’s security. So even if someone were to try and access it they would get denied! The page itself also has security on it to help prevent security issues. The point I want to emphases is that this is NOT a security model, but a model for a better user interface.
<script type="text/javascript">
// Created by RMacLean - for comments email [email protected]
// Partially from http://www.w3schools.com/XML/xml_http.asp
// Partially from http://en.wikipedia.org/wiki/Xmlhttprequest
// Partially from http://km0.la/js/mozXPath/
// Partially from http://developer.mozilla.org/en/Introduction_to_using_XPath_in_JavaScript#Implementing_a_User_Defined_Namespace_Resolver
// check for XPath implementation
if (document.implementation.hasFeature("XPath", "3.0")) {
// prototying the XMLDocument.selectNodes
XMLDocument.prototype.selectNodes = function(cXPathString, xNode) {
if (!xNode) { xNode = this; }
var oNSResolver = document.createNSResolver(this.ownerDocument == null ? this.documentElement : this.ownerDocument.documentElement);
function resolver() {
return 'http://schemas.saarchitect.net/ajax/2008/09/user';
}
var aItems = this.evaluate(cXPathString, xNode, resolver, XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null);
var aResult = [];
for (var i = 0; i < aItems.snapshotLength; i++) {
aResult[i] = aItems.snapshotItem(i);
}
return aResult;
}
18.
// prototying the Element
Element.prototype.selectNodes = function(cXPathString) {
if (this.ownerDocument.selectNodes) {
return this.ownerDocument.selectNodes(cXPathString, this);
}
else { throw "For XML Elements Only"; }
}
// prototying the XMLDocument.selectSingleNode
XMLDocument.prototype.selectSingleNode = function(cXPathString, xNode) {
if (!xNode) { xNode = this; }
var xItems = this.selectNodes(cXPathString, xNode);
if (xItems.length > 0) {
return xItems[0];
}
else {
return null;
}
}
// prototying the Element
Element.prototype.selectSingleNode = function(cXPathString) {
if (this.ownerDocument.selectSingleNode) {
return this.ownerDocument.selectSingleNode(cXPathString, this);
}
else { throw "For XML Elements Only"; }
}
};
// Provide the XMLHttpRequest class for IE 5.x-6.x:
if (typeof XMLHttpRequest == "undefined") XMLHttpRequest = function() {
try { return new ActiveXObject("Msxml2.XMLHTTP.6.0") } catch (e) { }
try { return new ActiveXObject("Msxml2.XMLHTTP.3.0") } catch (e) { }
try { return new ActiveXObject("Msxml2.XMLHTTP") } catch (e) { }
try { return new ActiveXObject("Microsoft.XMLHTTP") } catch (e) { }
throw new Error("This browser does not support XMLHttpRequest.")
};
var xmlhttp;
function loadXMLDoc(url) {
xmlhttp = new XMLHttpRequest();
if (xmlhttp != null) {
xmlhttp.onreadystatechange = state_Change;
xmlhttp.open("GET", url, true);
xmlhttp.send(null);
}
else {
alert("Your browser does not support XMLHTTP.");
}
}
function state_Change() {
if (xmlhttp.readyState == 4) {// 4 = "loaded"
if (xmlhttp.status == 200) {// 200 = OK
var username = "";
if (xmlhttp.responseXML.selectSingleNode('//user') == null) {
username = xmlhttp.responseXML.selectSingleNode('//myns:user').getAttribute('username');
}
else {
username = xmlhttp.responseXML.selectSingleNode('//user').getAttribute('username');
}
if (username.length > 0) {
// user logged in
document.getElementById('resultText').innerHTML = '<P><A href="/memberPages/changepassword.aspx">Change Password</A></P>';
}
else {
// anonymous
document.getElementById('resultText').innerHTML = '<P><A href="/Pages/signup.aspx">Signup</A><BR><A href="/Pages/forgotpassword.aspx">Lost Password</A></P>';
}
}
else {
alert("Problem retrieving XML data");
}
}
}
loadXMLDoc("/Pages/loggedinuser.aspx");
</script>
<span id="resultText">Loading...</span>