You can also set the username and password in the starting class of the JaxRX server org.basex.api.jaxrx.JaxRxServer lines 51-60.

Am 25.03.2011 um 15:16 schrieb Andreas Weiler:

Sorry for pointing to the wrong code location:
you have to set the username and password in class org.basex.api.jaxrx.BXCode line 31,32.

In my described scenario you can create an user with just read permissions
and so he hasn't the ability to execute commands like:
http://localhost:8984/basex/jax-rx?wrap=no&command=show+users

-- Andreas

Am 25.03.2011 um 14:49 schrieb Andreas Weiler:

Forwarding to mailing-list.

Anfang der weitergeleiteten E-Mail:

Von: Jan Vlčinský (CAD) <jan.vlcinsky@cad-programs.com>
Datum: 25. März 2011 14:46:47 MEZ
An: Andreas Weiler <andreas.weiler@uni-konstanz.de>
Betreff: Re: [basex-talk] BaseX REST Security

Hi
Let me describe my vision of possible implementation.
Current REST communication would not declare anything about user and password in the xml documents being sent to server as request.
Web server (servlet container) would implement standard security protection to given url - either by means of basic or by means of digest authentication and possibly using https.
BaseX server would have to provide some method, how to let servlet check, that given credentials (username and password) are valid and servlet would use it to authenticate requests (thinking of using JAAS).
Servlet would also use username and password of the REST request to log into BaseX.

Implementation for basic authentication would be relatively simple, as user provides full password and servlet can reuse it in logging into BaseX.
Using e.g. JAAS, BaseX would implement interface for authentication.

With digest the situation is a bit more difficult as password from http request is probably unusable for logging into BaseX as it is already arriving somehow scrambled to the web server and reconstrucion is not possible (if I am correct).
Solutions could be
  • BaseX would have an option to reuse authenticated user and somehow reuse the available password data or simply trusting user, who logged into web server already.
  • At servlet there would be mapping from (authenticated) username to credentials of BaseX account (username and password). This would be used to log into BaseX.
Both options have some drawbacks and security risks, but we all know, security risk is general feature of almost any method.
The simplest solution could use basic authentication and rely on https encrypting open password over network.

Just some ideas which came to my mind.

With best regards

Jan Vlčinský


2011/3/25 Andreas Weiler <andreas.weiler@uni-konstanz.de>
Hi,

in the BXJaxRX class, you can set String USER and String PASSWORD to use another user than the standard admin user. So each request will be executed/declined regarding these user permissions.
Currently it is not possible to send username/password with single requests to the server in the JAXRX mode.

-- Andreas

Am 25.03.2011 um 13:46 schrieb Евгений Хабаров:

> When connection is made using Language Bindings, client need valid
> login/password to access database.
> When JAXRX is used - user authentication is NOT requested.
> Is it possible to protect JAXRX interface operations?
> _______________________________________________
> BaseX-Talk mailing list
> BaseX-Talk@mailman.uni-konstanz.de
> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk

_______________________________________________
BaseX-Talk mailing list
BaseX-Talk@mailman.uni-konstanz.de
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk



--
Ing. Jan Vlčinský
CAD programy
Slunečnicová 338/3, 734 01 Karviná Ráj, Czech Republic
tel: +420-597 602 024; mob: +420-608 979 040
skype: janvlcinsky; GoogleTalk: jan.vlcinsky@gmail.com
http://cz.linkedin.com/in/vlcinsky


_______________________________________________
BaseX-Talk mailing list
BaseX-Talk@mailman.uni-konstanz.de
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk