A little addition: you may as well specify user and password information on the command line; see
http://docs.basex.org/wiki/Startup_Options#BaseX_JAX-RX_Server
Regarding your actual question (how interface operations can be protected): we're planning to extend the current JAX-RX API with an authentication facility next month (April)!
Best, Christian ___________________________
On Fri, Mar 25, 2011 at 2:49 PM, Andreas Weiler andreas.weiler@uni-konstanz.de wrote:
Forwarding to mailing-list.
Anfang der weitergeleiteten E-Mail:
Von: Jan Vlčinský (CAD) jan.vlcinsky@cad-programs.com Datum: 25. März 2011 14:46:47 MEZ An: Andreas Weiler andreas.weiler@uni-konstanz.de Betreff: Re: [basex-talk] BaseX REST Security
Hi Let me describe my vision of possible implementation. Current REST communication would not declare anything about user and password in the xml documents being sent to server as request. Web server (servlet container) would implement standard security protection to given url - either by means of basic or by means of digest authentication and possibly using https. BaseX server would have to provide some method, how to let servlet check, that given credentials (username and password) are valid and servlet would use it to authenticate requests (thinking of using JAAS). Servlet would also use username and password of the REST request to log into BaseX. Implementation for basic authentication would be relatively simple, as user provides full password and servlet can reuse it in logging into BaseX. Using e.g. JAAS, BaseX would implement interface for authentication. With digest the situation is a bit more difficult as password from http request is probably unusable for logging into BaseX as it is already arriving somehow scrambled to the web server and reconstrucion is not possible (if I am correct). Solutions could be
BaseX would have an option to reuse authenticated user and somehow reuse the available password data or simply trusting user, who logged into web server already. At servlet there would be mapping from (authenticated) username to credentials of BaseX account (username and password). This would be used to log into BaseX.
Both options have some drawbacks and security risks, but we all know, security risk is general feature of almost any method. The simplest solution could use basic authentication and rely on https encrypting open password over network. Just some ideas which came to my mind. With best regards Jan Vlčinský
2011/3/25 Andreas Weiler andreas.weiler@uni-konstanz.de
Hi,
in the BXJaxRX class, you can set String USER and String PASSWORD to use another user than the standard admin user. So each request will be executed/declined regarding these user permissions. Currently it is not possible to send username/password with single requests to the server in the JAXRX mode.
-- Andreas
Am 25.03.2011 um 13:46 schrieb Евгений Хабаров:
When connection is made using Language Bindings, client need valid login/password to access database. When JAXRX is used - user authentication is NOT requested. Is it possible to protect JAXRX interface operations? _______________________________________________ BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
-- Ing. Jan Vlčinský CAD programy Slunečnicová 338/3, 734 01 Karviná Ráj, Czech Republic tel: +420-597 602 024; mob: +420-608 979 040 skype: janvlcinsky; GoogleTalk: jan.vlcinsky@gmail.com http://cz.linkedin.com/in/vlcinsky
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk