Thanks Andreas to forwarding my mail to mail list.
Thinking a bit longer about my earlier proposal I realized, it is probably not very much in REST style as important attribute of the request - username - is left out from request representation. Googling this topic I found http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authen... where is the topic described, and which seems far more mature, then my original thoughts. Being familiar with AWS solution for S3, it fits quite well (I noticed author's comments to AWS not being perfect, but taking purely the approach of AWS S3 seems to be in line with the concept he describes).
Jan Vlčinský
2011/3/25 Andreas Weiler andreas.weiler@uni-konstanz.de
Forwarding to mailing-list.
Anfang der weitergeleiteten E-Mail:
*Von: *Jan Vlčinský (CAD) jan.vlcinsky@cad-programs.com *Datum: *25. März 2011 14:46:47 MEZ *An: *Andreas Weiler andreas.weiler@uni-konstanz.de *Betreff: **Re: [basex-talk] BaseX REST Security*
Hi Let me describe my vision of possible implementation. Current REST communication would not declare anything about user and password in the xml documents being sent to server as request. Web server (servlet container) would implement standard security protection to given url - either by means of basic or by means of digest authentication and possibly using https. BaseX server would have to provide some method, how to let servlet check, that given credentials (username and password) are valid and servlet would use it to authenticate requests (thinking of using JAAS). Servlet would also use username and password of the REST request to log into BaseX.
Implementation for basic authentication would be relatively simple, as user provides full password and servlet can reuse it in logging into BaseX. Using e.g. JAAS, BaseX would implement interface for authentication.
With digest the situation is a bit more difficult as password from http request is probably unusable for logging into BaseX as it is already arriving somehow scrambled to the web server and reconstrucion is not possible (if I am correct). Solutions could be
- BaseX would have an option to reuse authenticated user and somehow
reuse the available password data or simply trusting user, who logged into web server already.
- At servlet there would be mapping from (authenticated) username to
credentials of BaseX account (username and password). This would be used to log into BaseX.
Both options have some drawbacks and security risks, but we all know, security risk is general feature of almost any method. The simplest solution could use basic authentication and rely on https encrypting open password over network.
Just some ideas which came to my mind.
With best regards
Jan Vlčinský
2011/3/25 Andreas Weiler andreas.weiler@uni-konstanz.de
Hi,
in the BXJaxRX class, you can set String USER and String PASSWORD to use another user than the standard admin user. So each request will be executed/declined regarding these user permissions. Currently it is not possible to send username/password with single requests to the server in the JAXRX mode.
-- Andreas
Am 25.03.2011 um 13:46 schrieb Евгений Хабаров:
When connection is made using Language Bindings, client need valid login/password to access database. When JAXRX is used - user authentication is NOT requested. Is it possible to protect JAXRX interface operations? _______________________________________________ BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
-- *Ing. Jan Vlčinský* CAD programy Slunečnicová 338/3, 734 01 Karviná Ráj, Czech Republic tel: +420-597 602 024; mob: +420-608 979 040 skype: janvlcinsky; GoogleTalk: jan.vlcinsky@gmail.com http://cz.linkedin.com/in/vlcinsky
BaseX-Talk mailing list BaseX-Talk@mailman.uni-konstanz.de https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk