Hi all
I was wondering how to block general access to BaseX when using RESTXQ. Our javascript/jquery web-application communicates with BaseX using commands like:
$('#myobject').load('objects')
where the term 'objects' is defined as a path in a .xqm-file.
declare %rest:path("/objects")
However, databases are exposed using the URL "/rest" which seems built into the rest-module. For example, in the javascript/jquery console (f.ex. in Chrome ), a div could be filled up with content outside of the application by typing things like:
$('div').load('rest/my_database')
and general queries could be made using the rest-interface http://docs.basex.org/wiki/REST.
Is there a way to prevent this, while at the same time using BaseX as web-server (one way is to use BaseX only as a backend database)? Or how to limit the URLs permitted?
Best Lars
Hello Lars,
You can disable the REST interface if you do not intend to use it (and you solely use RESTXQ). This can be done using your web server. In our default jetty-based HTTP server you can find the servlet mapping in WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
Of course you could also secure this path using your web service (.e.g requesting a HTTP authentication when accessing REST).
Cheers, Dirk On 01/14/2015 03:49 PM, Lars Johnsen wrote:
Hi all
I was wondering how to block general access to BaseX when using RESTXQ. Our javascript/jquery web-application communicates with BaseX using commands like:
$('#myobject').load('objects')where the term 'objects' is defined as a path in a .xqm-file.
declare %rest:path("/objects")However, databases are exposed using the URL "/rest" which seems built into the rest-module. For example, in the javascript/jquery console (f.ex. in Chrome ), a div could be filled up with content outside of the application by typing things like:
$('div').load('rest/my_database')and general queries could be made using the rest-interface http://docs.basex.org/wiki/REST.
Is there a way to prevent this, while at the same time using BaseX as web-server (one way is to use BaseX only as a backend database)? Or how to limit the URLs permitted?
Best Lars
Thanks - it worked out nicely! Just commented out the <servlet>-section on REST.
Cheers, Lars
2015-01-14 15:57 GMT+01:00 Dirk Kirsten dk@basex.org:
Hello Lars,
You can disable the REST interface if you do not intend to use it (and you solely use RESTXQ). This can be done using your web server. In our default jetty-based HTTP server you can find the servlet mapping in WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
Of course you could also secure this path using your web service (.e.g requesting a HTTP authentication when accessing REST).
Cheers, Dirk On 01/14/2015 03:49 PM, Lars Johnsen wrote:
Hi all
I was wondering how to block general access to BaseX when using RESTXQ.
Our
javascript/jquery web-application communicates with BaseX using commands like:
$('#myobject').load('objects')where the term 'objects' is defined as a path in a .xqm-file.
declare %rest:path("/objects")However, databases are exposed using the URL "/rest" which seems built
into
the rest-module. For example, in the javascript/jquery console (f.ex. in Chrome ), a div could be filled up with content outside of the
application
by typing things like:
$('div').load('rest/my_database')and general queries could be made using the rest-interface http://docs.basex.org/wiki/REST.
Is there a way to prevent this, while at the same time using BaseX as web-server (one way is to use BaseX only as a backend database)? Or how
to
limit the URLs permitted?
Best Lars
-- Dirk Kirsten, BaseX GmbH, http://basexgmbh.de |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
I'm reading this thread and I foresee a problem with our system. Would it be possible to enable/disable REST access on specific databases? For example, block access to our translation database (content being translated), but allow access to approved content (original content and approved translations).
On Wed, Jan 14, 2015 at 9:21 AM, Lars Johnsen yoonsen@gmail.com wrote:
Thanks - it worked out nicely! Just commented out the <servlet>-section on REST.
Cheers, Lars
2015-01-14 15:57 GMT+01:00 Dirk Kirsten dk@basex.org:
Hello Lars,
You can disable the REST interface if you do not intend to use it (and you solely use RESTXQ). This can be done using your web server. In our default jetty-based HTTP server you can find the servlet mapping in WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
Of course you could also secure this path using your web service (.e.g requesting a HTTP authentication when accessing REST).
Cheers, Dirk On 01/14/2015 03:49 PM, Lars Johnsen wrote:
Hi all
I was wondering how to block general access to BaseX when using RESTXQ.
Our
javascript/jquery web-application communicates with BaseX using commands like:
$('#myobject').load('objects')where the term 'objects' is defined as a path in a .xqm-file.
declare %rest:path("/objects")However, databases are exposed using the URL "/rest" which seems built
into
the rest-module. For example, in the javascript/jquery console (f.ex. in Chrome ), a div could be filled up with content outside of the
application
by typing things like:
$('div').load('rest/my_database')and general queries could be made using the rest-interface http://docs.basex.org/wiki/REST.
Is there a way to prevent this, while at the same time using BaseX as web-server (one way is to use BaseX only as a backend database)? Or how
to
limit the URLs permitted?
Best Lars
-- Dirk Kirsten, BaseX GmbH, http://basexgmbh.de |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
Hello France,
I guess the easiest solution would be to run REST with a user who only has access to the allowed databases. Another way could be blocking the appropriate REST calls for some specific databases (e.g. block http://my.url/rest/not-allowed-database). However, as an arbitrary XQuery could be executed by for example using the query= parameter, this has to be blocked as well. So writing a correct filter for each and every cornercase is non-trivial, I would guess.
Cheers, Dirk
On 01/14/2015 10:52 PM, France Baril wrote:
I'm reading this thread and I foresee a problem with our system. Would it be possible to enable/disable REST access on specific databases? For example, block access to our translation database (content being translated), but allow access to approved content (original content and approved translations).
On Wed, Jan 14, 2015 at 9:21 AM, Lars Johnsen yoonsen@gmail.com wrote:
Thanks - it worked out nicely! Just commented out the <servlet>-section on REST.
Cheers, Lars
2015-01-14 15:57 GMT+01:00 Dirk Kirsten dk@basex.org:
Hello Lars,
You can disable the REST interface if you do not intend to use it (and you solely use RESTXQ). This can be done using your web server. In our default jetty-based HTTP server you can find the servlet mapping in WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
Of course you could also secure this path using your web service (.e.g requesting a HTTP authentication when accessing REST).
Cheers, Dirk On 01/14/2015 03:49 PM, Lars Johnsen wrote:
Hi all
I was wondering how to block general access to BaseX when using RESTXQ.
Our
javascript/jquery web-application communicates with BaseX using commands like:
$('#myobject').load('objects')where the term 'objects' is defined as a path in a .xqm-file.
declare %rest:path("/objects")However, databases are exposed using the URL "/rest" which seems built
into
the rest-module. For example, in the javascript/jquery console (f.ex. in Chrome ), a div could be filled up with content outside of the
application
by typing things like:
$('div').load('rest/my_database')and general queries could be made using the rest-interface http://docs.basex.org/wiki/REST.
Is there a way to prevent this, while at the same time using BaseX as web-server (one way is to use BaseX only as a backend database)? Or how
to
limit the URLs permitted?
Best Lars
-- Dirk Kirsten, BaseX GmbH, http://basexgmbh.de |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
basex-talk@mailman.uni-konstanz.de
-
Dirk Kirsten -
France Baril -
Lars Johnsen