Hi Günter,

As supplied Openshift BaseX quick start has REST and Webdav disabled. [1] which avoids any potential security issues via these routes.

I would expect your config to require [2]:
curl -i -X DELETE "http://admin:xxx@xxx-xxx.rhcloud.com/rest/factbook"

Can you get the same behaviour with a local BaseX installation?

/Andy

[1] https://github.com/Quodatum/openshift-basex-quick-start/blob/master/basex/webapp/WEB-INF/web.xml#L80
[2] http://docs.basex.org/wiki/Web_Application#User_Management

On 28 March 2016 at 16:14, Günter Dunz-Wolff <kleist@mail.dunzwolff.de> wrote:

Hi all,

I'm in the beginning of a BaseX basexhttp installation on OpenShift. I'm using Openshift quick start for BaseX from Andy Bunce. For my tests, I'm working with a simple factbook-db. Everything is working, but I can't figure out, how to protect the database to be deleted via the REST-Interface:

With a simple curl -i -X DELETE "http://xxx-xxx.rhcloud.com/rest/factbook" the Database is dropped.

In the database, there is only the user admin. In web.xml the REST-servlet is configured with

<servlet>
<servlet-name>REST</servlet-name>
<servlet-class>org.basex.http.rest.RESTServlet</servlet-class>
<init-param>
<param-name>org.basex.user</param-name>
<param-value>admin</param-value>
</init-param>
<init-param>
<param-name>org.basex.password</param-name>
<param-value>xxx</param-value>
</init-param>
</servlet>

<servlet-mapping>
<servlet-name>REST</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>

What part of the security-management am I missing? Thanks a lot for any help.

Best regards,
Günter Dunz-Wolff