Hi Christian,
Thanks for the permissions pointer- it works well.
As an aside I had to use
let $vbFailure1 := ($perm?authorization != 'example' or exists( $perm?authorization )=false())
Rather than
let $vbFailure1 := ($perm?authorization != 'example' )
To handle the case of no Authorisation. I am not sure why.
I should be able to use request:cookie for ws (when I need to) which is great.
I wasn't able to work out a catchall rest:path solution but it is not really important for me.
Thanks again for the pointer.
Adam
On Mon, Jan 18, 2021 at 8:33 PM Christian Grün christian.gruen@gmail.com wrote:
You could have a look at the "Catch HTTP Errors" section in our documentation.
[1] https://docs.basex.org/wiki/RESTXQ#Error_Handling
On Mon, Jan 18, 2021 at 1:30 PM Adam Law adamjameslaw@gmail.com wrote:
Another thought - a 'catch all' path for fail2ban to catch attempted
accessess to undefined paths.
I haven't tested this to see if there is such a thing in BaseX https://stackoverflow.com/questions/50282541/catch-all-url-in-golang
On Mon, Jan 18, 2021 at 5:26 PM Christian Grün <
christian.gruen@gmail.com> wrote:
Hi Adam,
You could have a loot at our Permissions layer [1]. It can be used for all kinds of checks, not only those specific to authentication. I think we should generalize the concept in a future version of BaseX and introduce additional post-hooks.
Hope this helps? Christian
[1] https://docs.basex.org/wiki/Permissions
On Mon, Jan 18, 2021 at 3:19 AM Adam Law adamjameslaw@gmail.com
wrote:
Golang has great middleware functionality for endpoints that allows a
person to readily secure all of them. I was wondering there would be anyway doing similar in BaseX for restxq & websockets. For example by requiring all requests to have a particular query parameter (very basic example). ... to protect say against browser / javascript port scanning.
Eg
https://stackoverflow.com/questions/26204485/gorilla-mux-custom-middleware and check that request contains a particular parameter (very basic security)
It seems that I have to secure each endpoint individually.
Adam
Does anyone have any experience running basex (windows) - jetty on https with hot reload https://github.com/eclipse/jetty.project/issues/5019.
This is how I appear to be able to set SSL on 8446 in jetty.xml but ssl-reload (hot reload) is beyond me.
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Set name="secureScheme">https</Set> <Set name="securePort">8446</Set> </New>
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Call name="addCustomizer"> <Arg> <New class="org.eclipse.jetty.server.SecureRequestCustomizer" /> </Arg> </Call> </New>
<New id="connector" class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"> <Ref refid="Server" /> </Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"> <Ref refid="httpConfig" /> </Arg> </New> </Item> </Array> </Arg> <Set name="host">0.0.0.0</Set> <Set name="port">8984</Set> <Set name="idleTimeout">60000</Set> <Set name="reuseAddress">true</Set> </New>
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="KeyStorePath">D:/D_Ser/CP_Certificates/CertifyTheWebACME.store</Set> <Set name="KeyStorePassword">Password</Set> </New>
<New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="sslContextFactory"> <Ref refid="sslContextFactory" /> </Arg> <Arg name="next">http/1.1</Arg> </New>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"> <Ref refid="Server" /> </Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <Ref refid="sslConnectionFactory" /> </Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"> <Ref refid="httpsConfig" /> </Arg> </New> </Item> </Array> </Arg> <Set name="port">8446</Set> </New>
<Call name="setConnectors"> <Arg> <Array type="org.eclipse.jetty.server.ServerConnector"> <Item> <Ref refid="connector" /> </Item> <Item> <Ref refid="sslConnector" /> </Item> </Array> </Arg> </Call>
<!-- Default connector. The Jetty stop port can be specified in the .basex or pom.xml configuration file. -->
</Configure>
Hi Adam,
let $vbFailure1 := ($perm?authorization != 'example' or exists( $perm?authorization )=false())
If you want, you can simplify this to:
let $vbFailure1 := not($perm?authorization = 'example')
If $perm?authorization yields no item (i.e., an “empty sequence”), the comparison () != 'example' will give you false, because there is no item on the left-hand side of the comparison that matches 'example'.
Hope this helps, Christian
Hi Christian - thanks for the explanation. Adam
On Tue, Jan 26, 2021 at 6:26 PM Christian Grün christian.gruen@gmail.com wrote:
Hi Adam,
let $vbFailure1 := ($perm?authorization != 'example' or exists(
$perm?authorization )=false())
If you want, you can simplify this to:
let $vbFailure1 := not($perm?authorization = 'example')
If $perm?authorization yields no item (i.e., an “empty sequence”), the comparison () != 'example' will give you false, because there is no item on the left-hand side of the comparison that matches 'example'.
Hope this helps, Christian
basex-talk@mailman.uni-konstanz.de
-
Adam Law -
Christian Grün