Hi chaps,
I actually had on my list to produce a security set of XQuery Annotations. Keeping in mind my current work load, it is unlikely that I will get around this until Feb/Mar at the earliest.
I use the term 'security' rather than 'authentication', as I think that security encompases authentication and more. In addition I think this should be standalone to RESTXQ, lets call it SecurityXQ, but you should certainly be able to use the annotations together in the same context.
In my mind, the first priority would be to establish a simple user model which would work for varied authentication providers, this should also include defining the meaning of roles and/or groups. The main reason why this should be separate to RESTXQ, is that I think security also applies to any XQuery, not just an XQuery run in a web context. There may be web-specific security extensions, e.g. basic/digest/challenge method annotations and SSL/TLS stuff etc.
e.g. something like -
%security:require-user("bob", "fred", "frank") %security:require-group("my-users")
The above would be an OR of the two credential sets.
On 15 November 2012 13:37, Christian Grün christian.gruen@gmail.com wrote:
Hi Daniel,
you may be interested to hear that we already has some first thoughts on extending the RESTXQ API with an authentication module. As you indicated, those "if" constructs are the current way to go. While it works fine in practice, I agree it’s not the way it should be. The reasons why we didn’t choose a solution yet is that..
-- we didn’t have enough time to put more focus on that issue
-- we didn’t want to restrict ourselves to the uses cases we’re currently aware of
Maybe we should start off with a little spec describing what the %auth annotations should look like, where the authentication functionality will be located, and how we can ensure that also protocols like OAuth can be supported. As soon as we have specified the basics, the implementation shouldn’t cause too much headache. If you have some concrete ideas, your input is more than welcome!
In the end, I’d like to get the enhancement into the work-in-progress RESTXQ draft (the exquery GitHub issue tracker is probably the best platform to discuss such extensions and propose extensions [1]). This is why I cc'ed this mail to Adam Retter..
Christian
[1] https://github.com/exquery/exquery/issues ___________________________
On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička daniel.kvasnicka@me.com wrote:
Hi folks,
I'd like to write an app using RESTXQ and I'd like to auth users using a regular form-based authentication and then on some XQuery functions check for an existing user session (and possibly user roles). I'd also like to add some social media login using OAuth (later). My question is - is it somehow possible to do this in a declarative way? For example custom annotations on XQuery handlers? Something like %auth:roles-allowed("admin") I definetly don't want to "if" at the beginning of every function that should be protected. No problem with implementing this in Java or XQuery. Just tell me how to approach this orthogonal concern in a reasonable way... Or should I equal app users to BaseX users and leverage Basex auth?
Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good tool for that).
Daniel
-- danielkvasnicka.net
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk