Hi Christian,
I've tested this and the multiple %perm:allow annotations again with the latest snapshot. Both are working as expected now.
Thank you for taking care of this.
Best regards Johannes
Am 04.02.2019 um 14:57 schrieb Christian GrĂ¼n:
Hi Johannes,
If the error code 401 is returned, the BaseX standard authentication values had been assigned to the response header.
I have revised this a little: With the latest snapshot, the BaseX authentication header will only be assigned if the user does not provide a custom header in the RESTXQ response. A latest snapshot is online [1].
Best, Christian
[1] http://files.basex.org/releases/latest/
On Wed, Jan 30, 2019 at 9:16 AM Johannes Bauer johannes.bauer@tanner.de wrote:
Hello BaseX Team,
I'm trying to implement a RESTXQ service that uses JWT tokens for authorization and authentication. For this purpose I use a permission check annotated function that validates the token and returns a 401 response if the token is invalid or missing.
declare %perm:check('/admin', '{$perm}') function security:check-admin($perm) { let $token := $perm?authorization where empty($token) return rest:response <http:response status='401'> <http:header name='WWW-Authenticate' value='Bearer realm="c42"'/> </http:response> </rest:response> };
When I call the endpoint without token I get the expected response but the WWW-Authenticate header is different to the one that I have defined:
WWW-Authenticate Basic realm="BaseX"
Is there a way to override the BaseX provided header?
Thanks for your input.
Best regards Johannes