Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
You can use the magic of XQuery closures to only write that if once as here in the role-check function:
(:~ : return all users as json if this session is for admin :) declare %rest:GET %rest:path("cellar/api/users") %output:method("json") function users() { web:role-check("admin",function(){ <json arrays="json" objects="user"> {for $u in db:open('cellar',"users.xml")/users/user return <user> <id>{$u/@id/fn:string()}</id> <name>{$u/@name/fn:string()}</name> </user>} </json>} )};
(:~ : execute function fn if session has logged in user with matching role, else 401 :) declare function role-check($role as xs:string,$fn){ let $uid:=session:get("uid") return if($uid) and ..checkrole here... then $fn() else http-auth("Whizz apb auth",()) };
(:~ : REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized :) declare function http-auth($auth-scheme,$response){ ( rest:response <http:response status="401" > <http:header name="WWW-Authenticate" value="{$auth-scheme}"/> </http:response> </rest:response>, $response ) };
Looks a lot like node.js ;-) /Andy
On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün christian.gruen@gmail.comwrote:
Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a
regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later).
My question is - is it somehow possible to do this in a declarative way?
For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin")
I definetly don't want to "if" at the beginning of every function that
should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way...
Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a
good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Andy, this functional solution is exactly what came up in my mind today as I was thinking about it... shame on me for thinking about "ifing" in REST handlers :)
Christian, thanks for your encouragement. I don't think that auth / security features necessarilly need to be explicitly hardwired in the RESTXQ core (RestXqFunction etc.) I envision something more like AOP / interceptor framework for rxq functions. The ability do use a generic annotation to declare an interceptor on a function that would run before / after / around the function. Think Spring AOP / Java EE 6 interceptor framework for XQuery. %aop:before("ns:xq-function-name") %aop:around("com.package.JavaInterceptor") Security features could then be written on top of these and also a whole lot of new modules could spring up... Or - you could let people use whatever annotations they come up with and let them register annotation handlers. Easier said than done, I know, I know :)
Daniel
-- danielkvasnicka.net
On 15. 11. 2012, at 15:09, Andy Bunce bunce.andy@gmail.com wrote:
You can use the magic of XQuery closures to only write that if once as here in the role-check function:
(:~ : return all users as json if this session is for admin :) declare %rest:GET %rest:path("cellar/api/users") %output:method("json") function users() { web:role-check("admin",function(){ <json arrays="json" objects="user"> {for $u in db:open('cellar',"users.xml")/users/user return <user> <id>{$u/@id/fn:string()}</id> <name>{$u/@name/fn:string()}</name> </user>} </json>} )};
(:~ : execute function fn if session has logged in user with matching role, else 401 :) declare function role-check($role as xs:string,$fn){ let $uid:=session:get("uid") return if($uid) and ..checkrole here... then $fn() else http-auth("Whizz apb auth",()) };
(:~ : REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized :) declare function http-auth($auth-scheme,$response){ ( rest:response <http:response status="401" > <http:header name="WWW-Authenticate" value="{$auth-scheme}"/> </http:response> </rest:response>, $response ) };
Looks a lot like node.js ;-) /Andy
On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün christian.gruen@gmail.com wrote: Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Hi all,
thanks for your input and suggestions! Yes, it sounds reasonable to treat RESTXQ and security features separately. Let’s see if we can further develop and nail down those ideas. As soon as we agree on the basic points, it should be easy to implement it properly. I've included a simple page in our Wiki; it’s still empty, but you are invited to add your ideas and examples:
http://docs.basex.org/wiki/Security:_Use_Cases
Best, Christian ___________________________
On Thu, Nov 15, 2012 at 7:08 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Andy, this functional solution is exactly what came up in my mind today as I was thinking about it... shame on me for thinking about "ifing" in REST handlers :)
Christian, thanks for your encouragement. I don't think that auth / security features necessarilly need to be explicitly hardwired in the RESTXQ core (RestXqFunction etc.) I envision something more like AOP / interceptor framework for rxq functions. The ability do use a generic annotation to declare an interceptor on a function that would run before / after / around the function. Think Spring AOP / Java EE 6 interceptor framework for XQuery. %aop:before("ns:xq-function-name") %aop:around("com.package.JavaInterceptor") Security features could then be written on top of these and also a whole lot of new modules could spring up... Or - you could let people use whatever annotations they come up with and let them register annotation handlers. Easier said than done, I know, I know :)
Daniel
-- danielkvasnicka.net
On 15. 11. 2012, at 15:09, Andy Bunce bunce.andy@gmail.com wrote:
You can use the magic of XQuery closures to only write that if once as here in the role-check function:
(:~ : return all users as json if this session is for admin :) declare %rest:GET %rest:path("cellar/api/users") %output:method("json") function users() { web:role-check("admin",function(){ <json arrays="json" objects="user"> {for $u in db:open('cellar',"users.xml")/users/user return <user> <id>{$u/@id/fn:string()}</id> <name>{$u/@name/fn:string()}</name> </user>} </json>} )};
(:~ : execute function fn if session has logged in user with matching role, else 401 :) declare function role-check($role as xs:string,$fn){ let $uid:=session:get("uid") return if($uid) and ..checkrole here... then $fn() else http-auth("Whizz apb auth",()) };
(:~ : REST created http://restpatterns.org/HTTP_Status_Codes/401_-_Unauthorized :) declare function http-auth($auth-scheme,$response){ ( rest:response <http:response status="401" > <http:header name="WWW-Authenticate" value="{$auth-scheme}"/> </http:response> </rest:response>, $response ) };
Looks a lot like node.js ;-) /Andy
On Thu, Nov 15, 2012 at 1:37 PM, Christian Grün christian.gruen@gmail.com wrote: Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
Hi chaps,
I actually had on my list to produce a security set of XQuery Annotations. Keeping in mind my current work load, it is unlikely that I will get around this until Feb/Mar at the earliest.
I use the term 'security' rather than 'authentication', as I think that security encompases authentication and more. In addition I think this should be standalone to RESTXQ, lets call it SecurityXQ, but you should certainly be able to use the annotations together in the same context.
In my mind, the first priority would be to establish a simple user model which would work for varied authentication providers, this should also include defining the meaning of roles and/or groups. The main reason why this should be separate to RESTXQ, is that I think security also applies to any XQuery, not just an XQuery run in a web context. There may be web-specific security extensions, e.g. basic/digest/challenge method annotations and SSL/TLS stuff etc.
e.g. something like -
%security:require-user("bob", "fred", "frank") %security:require-group("my-users")
The above would be an OR of the two credential sets.
On 15 November 2012 13:37, Christian Grün christian.gruen@gmail.com wrote:
Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
basex-talk@mailman.uni-konstanz.de
-
Adam Retter -
Andy Bunce -
Christian Grün -
Daniel Kvasnička