Thanks Andreas to forwarding my mail to mail list.<div><br><div>Thinking a bit longer about my earlier proposal I realized, it is probably not very much in REST style as important attribute of the request - username - is left out from request representation.</div>
<div>Googling this topic I found <a href="http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.html">http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.html</a> where is the topic described, and which seems far more mature, then my original thoughts. Being familiar with AWS solution for S3, it fits quite well (I noticed author&#39;s comments to AWS not being perfect, but taking purely the approach of AWS S3 seems to be in line with the concept he describes).</div>
<div><br></div><div>Jan Vlčinský</div><div><br><div class="gmail_quote">2011/3/25 Andreas Weiler <span dir="ltr">&lt;<a href="mailto:andreas.weiler@uni-konstanz.de">andreas.weiler@uni-konstanz.de</a>&gt;</span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">Forwarding to mailing-list.<br><div><br><div>Anfang der weitergeleiteten E-Mail:</div><br><blockquote type="cite"><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px">
<span style="font-family:&#39;Helvetica&#39;;font-size:medium"><b>Von: </b></span><span style="font-family:&#39;Helvetica&#39;;font-size:medium">Jan Vlčinský (CAD) &lt;<a href="mailto:jan.vlcinsky@cad-programs.com" target="_blank">jan.vlcinsky@cad-programs.com</a>&gt;<br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:&#39;Helvetica&#39;;font-size:medium"><b>Datum: </b></span><span style="font-family:&#39;Helvetica&#39;;font-size:medium">25. März 2011 14:46:47 MEZ<br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:&#39;Helvetica&#39;;font-size:medium"><b>An: </b></span><span style="font-family:&#39;Helvetica&#39;;font-size:medium">Andreas Weiler &lt;<a href="mailto:andreas.weiler@uni-konstanz.de" target="_blank">andreas.weiler@uni-konstanz.de</a>&gt;<br>
</span></div><div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span style="font-family:&#39;Helvetica&#39;;font-size:medium"><b>Betreff: </b></span><span style="font-family:&#39;Helvetica&#39;;font-size:medium"><b>Re: [basex-talk] BaseX REST Security</b><br>
</span></div><div><div></div><div class="h5"><br>Hi<div>Let me describe my vision of possible implementation.</div><div>Current REST communication would not declare anything about user and password in the xml documents being sent to server as request.</div>
<div>Web server (servlet container) would implement standard security protection to given url - either by means of basic or by means of digest authentication and possibly using https.</div>
<div>BaseX server would have to provide some method, how to let servlet check, that given credentials (username and password) are valid and servlet would use it to authenticate requests (thinking of using JAAS).</div><div>

Servlet would also use username and password of the REST request to log into BaseX.</div><div><br></div><div>Implementation for basic authentication would be relatively simple, as user provides full password and servlet can reuse it in logging into BaseX.</div>

<div>Using e.g. JAAS, BaseX would implement interface for authentication.</div><div><br></div><div>With digest the situation is a bit more difficult as password from http request is probably unusable for logging into BaseX as it is already arriving somehow scrambled to the web server and reconstrucion is not possible (if I am correct).</div>

<div>Solutions could be</div><div><ul><li>BaseX would have an option to reuse authenticated user and somehow reuse the available password data or simply trusting user, who logged into web server already.</li><li>At servlet there would be mapping from (authenticated) username to credentials of BaseX account (username and password). This would be used to log into BaseX.</li>

</ul><div>Both options have some drawbacks and security risks, but we all know, security risk is general feature of almost any method.</div><div>The simplest solution could use basic authentication and rely on https encrypting open password over network.</div>

<div><br></div><div>Just some ideas which came to my mind.</div><div><br></div><div>With best regards</div><div><br></div><div>Jan Vlčinský</div><div><br></div><div><br></div><div class="gmail_quote">2011/3/25 Andreas Weiler <span dir="ltr">&lt;<a href="mailto:andreas.weiler@uni-konstanz.de" target="_blank">andreas.weiler@uni-konstanz.de</a>&gt;</span><br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
in the BXJaxRX class, you can set String USER and String PASSWORD to use another user than the standard admin user. So each request will be executed/declined regarding these user permissions.<br>
Currently it is not possible to send username/password with single requests to the server in the JAXRX mode.<br>
<br>
-- Andreas<br>
<br>
Am 25.03.2011 um 13:46 schrieb Евгений Хабаров:<br>
<div><div></div><div><br>
&gt; When connection is made using Language Bindings, client need valid<br>
&gt; login/password to access database.<br>
&gt; When JAXRX is used - user authentication is NOT requested.<br>
&gt; Is it possible to protect JAXRX interface operations?<br>
&gt; _______________________________________________<br>
&gt; BaseX-Talk mailing list<br>
&gt; <a href="mailto:BaseX-Talk@mailman.uni-konstanz.de" target="_blank">BaseX-Talk@mailman.uni-konstanz.de</a><br>
&gt; <a href="https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk" target="_blank">https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk</a><br>
<br>
_______________________________________________<br>
BaseX-Talk mailing list<br>
<a href="mailto:BaseX-Talk@mailman.uni-konstanz.de" target="_blank">BaseX-Talk@mailman.uni-konstanz.de</a><br>
<a href="https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk" target="_blank">https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div name="sig_b0a60a250d" style="margin-top:2em;margin-right:0pt;margin-bottom:2em;margin-left:0pt"><b>Ing. Jan Vlčinský</b><br><small>
CAD programy<br>
Slunečnicová 338/3,  734 01 Karviná Ráj, Czech Republic<br>
tel: +420-597 602 024;
mob: +420-608 979 040<br>
skype: janvlcinsky;
GoogleTalk: <a href="mailto:jan.vlcinsky@gmail.com" target="_blank">jan.vlcinsky@gmail.com</a><br>
<a href="http://cz.linkedin.com/in/vlcinsky" target="_blank">http://cz.linkedin.com/in/vlcinsky</a>
</small></div><br>
</div>
</div></div></blockquote></div><br></div><br>_______________________________________________<br>
BaseX-Talk mailing list<br>
<a href="mailto:BaseX-Talk@mailman.uni-konstanz.de">BaseX-Talk@mailman.uni-konstanz.de</a><br>
<a href="https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk" target="_blank">https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div name="sig_b0a60a250d" style="margin-top:2em;margin-right:0pt;margin-bottom:2em;margin-left:0pt"><b>Ing. Jan Vlčinský</b><br><small>
CAD programy<br>
Slunečnicová 338/3,  734 01 Karviná Ráj, Czech Republic<br>
tel: +420-597 602 024;
mob: +420-608 979 040<br>
skype: janvlcinsky;
GoogleTalk: <a href="mailto:jan.vlcinsky@gmail.com" target="_blank">jan.vlcinsky@gmail.com</a><br>
<a href="http://cz.linkedin.com/in/vlcinsky" target="_blank">http://cz.linkedin.com/in/vlcinsky</a>
</small></div><br>
</div></div>