Hello Lars,

You can disable the REST interface if you do not intend to use it (and you solely use RESTXQ). This can be done using your web server. In our default jetty-based HTTP server you can find the servlet mapping in WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.

Of course you could also secure this path using your web service (.e.g requesting a HTTP authentication when accessing REST).

Cheers,
Dirk

On 01/14/2015 03:49 PM, Lars Johnsen wrote:
> Hi all
>
> I was wondering how to block general access to BaseX when using RESTXQ. Our
> javascript/jquery web-application communicates with BaseX using commands
> like:
>
>      $('#myobject').load('objects')
>
> where the term 'objects' is defined as a path in a .xqm-file.
>
>      declare %rest:path("/objects")
>
> However, databases are exposed using the URL "/rest" which seems built into
> the rest-module. For example, in the javascript/jquery console (f.ex. in
> Chrome ), a div could be filled up with content outside of the application
> by typing things like:
>
>      $('div').load('rest/my_database')
>
> and general queries could be made using the rest-interface
> http://docs.basex.org/wiki/REST.
>
> Is there a way to prevent this, while at the same time using BaseX as
> web-server (one way is to use BaseX only as a backend database)? Or how to
> limit the URLs permitted?
>
>
> Best
> Lars
>

--
Dirk Kirsten, BaseX GmbH, http://basexgmbh.de
|-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
|-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
| Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle
`-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22