Hello BaseX Team,
I'm trying to implement a RESTXQ service that uses JWT tokens for authorization and authentication. For this purpose I use a permission check annotated function that validates the token and returns a 401 response if the token is invalid or missing.
declare %perm:check('/admin','{$perm}')function security:check-admin($perm) { let $token := $perm?authorization where empty($token) return rest:response <http:response status='401'> <http:header name='WWW-Authenticate' value='Bearer realm="c42"'/> </http:response> </rest:response> };
When I call the endpoint without token I get the expected response but the WWW-Authenticate header is different to the one that I have defined:
WWW-Authenticate Basic realm="BaseX"
Is there a way to override the BaseX provided header?
Thanks for your input.
Best regards Johannes
Hi Johannes,
If the error code 401 is returned, the BaseX standard authentication values had been assigned to the response header.
I have revised this a little: With the latest snapshot, the BaseX authentication header will only be assigned if the user does not provide a custom header in the RESTXQ response. A latest snapshot is online [1].
Best, Christian
[1] http://files.basex.org/releases/latest/
On Wed, Jan 30, 2019 at 9:16 AM Johannes Bauer johannes.bauer@tanner.de wrote:
Hello BaseX Team,
I'm trying to implement a RESTXQ service that uses JWT tokens for authorization and authentication. For this purpose I use a permission check annotated function that validates the token and returns a 401 response if the token is invalid or missing.
declare %perm:check('/admin', '{$perm}') function security:check-admin($perm) { let $token := $perm?authorization where empty($token) return rest:response <http:response status='401'> <http:header name='WWW-Authenticate' value='Bearer realm="c42"'/> </http:response> </rest:response> };
When I call the endpoint without token I get the expected response but the WWW-Authenticate header is different to the one that I have defined:
WWW-Authenticate Basic realm="BaseX"
Is there a way to override the BaseX provided header?
Thanks for your input.
Best regards Johannes
Hi Christian,
I've tested this and the multiple %perm:allow annotations again with the latest snapshot. Both are working as expected now.
Thank you for taking care of this.
Best regards Johannes
Am 04.02.2019 um 14:57 schrieb Christian Grün:
Hi Johannes,
If the error code 401 is returned, the BaseX standard authentication values had been assigned to the response header.
I have revised this a little: With the latest snapshot, the BaseX authentication header will only be assigned if the user does not provide a custom header in the RESTXQ response. A latest snapshot is online [1].
Best, Christian
[1] http://files.basex.org/releases/latest/
On Wed, Jan 30, 2019 at 9:16 AM Johannes Bauer johannes.bauer@tanner.de wrote:
Hello BaseX Team,
I'm trying to implement a RESTXQ service that uses JWT tokens for authorization and authentication. For this purpose I use a permission check annotated function that validates the token and returns a 401 response if the token is invalid or missing.
declare %perm:check('/admin', '{$perm}') function security:check-admin($perm) { let $token := $perm?authorization where empty($token) return rest:response <http:response status='401'> <http:header name='WWW-Authenticate' value='Bearer realm="c42"'/> </http:response> </rest:response> };
When I call the endpoint without token I get the expected response but the WWW-Authenticate header is different to the one that I have defined:
WWW-Authenticate Basic realm="BaseX"
Is there a way to override the BaseX provided header?
Thanks for your input.
Best regards Johannes
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
Johannes Bauer