Can any readers of this list recommend some reasonably prudent technique for handling passwords that an XQuery module will need to retrieve things via http?
I suppose there are two questions: (1) where do people store such userid/password pairs? and (2) what's the best way to use them?
For storing, it has occurred to me that I can:
- hard-code them in the XQuery source - store them in an admin-info document in the XQuery database and look them up when needed - don't store them at all but require the request to pass them in as parameters (which offloads the burden of storing these things onto the client)
The simplest way to use them is of course to inject them into the URL, but I recall being warned that this means they can show up in logs, so it's not a recommended practice.
Probably it is better to use http:send-request() with username and password specified as attributes on the http:request method; anyone who can confirm or deny this, please do.
I will be grateful for any and all guidance.
I would be interested in hearing what techniques people use for this too.
On a recent project, I stored passwords and other configuration in a json file and used json-doc with map functions to access configuration from the file or a set of pre-set values.
---- config.json
{ "username": "name", "password": "pass" }
---
then in XQuery:
declare variable $configFile external := file:base-dir() || 'config.json'; declare variable $config := df:config-load($configFile);
declare %private variable $_:config-defaults := map {
'username': 'test',
'password': 'test'
}
declare function _:config($key as xs:string, $cfg as map(*)) { if (map:contains($cfg, $key)) then map:get($cfg, $key) else map:get($_:config-defaults, $key) };
declare function _:config-load($uri) as map(*) { if ($uri) then json-doc($uri) else map{} };
let $user := _:config('username', $config)
return $user
I hope this helps.
Vincent
________________________________ From: basex-talk-bounces@mailman.uni-konstanz.de basex-talk-bounces@mailman.uni-konstanz.de on behalf of C. M. Sperberg-McQueen cmsmcq@blackmesatech.com Sent: Saturday, June 25, 2016 7:02:52 PM To: BaseX Cc: C. M. Sperberg-McQueen Subject: [basex-talk] storing passwords ...
Can any readers of this list recommend some reasonably prudent technique for handling passwords that an XQuery module will need to retrieve things via http?
I suppose there are two questions: (1) where do people store such userid/password pairs? and (2) what's the best way to use them?
For storing, it has occurred to me that I can:
- hard-code them in the XQuery source - store them in an admin-info document in the XQuery database and look them up when needed - don't store them at all but require the request to pass them in as parameters (which offloads the burden of storing these things onto the client)
The simplest way to use them is of course to inject them into the URL, but I recall being warned that this means they can show up in logs, so it's not a recommended practice.
Probably it is better to use http:send-request() with username and password specified as attributes on the http:request method; anyone who can confirm or deny this, please do.
I will be grateful for any and all guidance.
-- **************************************************************** * C. M. Sperberg-McQueen, Black Mesa Technologies LLC * http://www.blackmesatech.comhttp://www.blackmesatech.com * http://cmsmcq.com/mibhttp://cmsmcq.com/mib * http://balisage.nethttp://balisage.net ****************************************************************
Can any readers of this list recommend some reasonably prudent technique for handling passwords that an XQuery module will need to retrieve things via http?
I suppose there are two questions: (1) where do people store such userid/password pairs?
If you use RESTXQ, you can build your user management on top of the existing User Module [1]. This module is also utilized by the DBA.
By default, these users have been introduced to control access to BaseX and its databases. If RESTXQ is used, all executed code will be in the realm of the default 'admin' user anyway, so we also use the BaseX user management to organize users of applications.
The passwords will never be stored as plain text, but with a salted hash. Please check out [2] to see how a user password can be compared with the registered password. When I see this, I believe it could help to have a convenience function added that does all the magic – something like user:verify($name, $password). Suggestions are welcome.
and (2) what's the best way to use them?
Talking about the client, I think you have already mentioned the most obvious choices. You could also pass them on in the HTTP header and access them value via RESTXQ or the Request Module [3]. If security is important, you could use digest authentication [4] or use an https connection.
Hope this helps Christian
[1] http://docs.basex.org/wiki/User_Module [2] https://github.com/BaseXdb/basex/blob/master/basex-api/src/main/webapp/dba/l... [3] http://docs.basex.org/wiki/Request_Module#request:header [4] http://docs.basex.org/wiki/Options#AUTHMETHOD
basex-talk@mailman.uni-konstanz.de
-
C. M. Sperberg-McQueen -
Christian Grün -
Lizzi, Vincent