Using HTTP Digest Authentication in a RESTXQ services
Hi list! I just experimented a bit to see if there is an obvious way to use HTTP digest authentication for some RESTXQ service I plan to write. I would prefer not to reimplement the HTTP digest logic in XQuery. I thought maybe there is a way to use the built in digest logic like for the REST endpoint. I don't seem to get that to work. Any suggestions? Best regards Omar Siam
Hi Omar, Digest authentication with RESTXQ should work out of the box. The following changes in the configuration may be required: • You’ll need to enable digest authentication in the web.xml configuration file [1] • By default, the admin user is enabled for RESTXQ requests. You’ll need to remove the corresponding entry [2] Best Christian [1] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9... [2] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9... On Thu, Feb 14, 2019 at 6:35 PM Omar Siam <Omar.Siam@oeaw.ac.at> wrote:
Hi list!
I just experimented a bit to see if there is an obvious way to use HTTP digest authentication for some RESTXQ service I plan to write. I would prefer not to reimplement the HTTP digest logic in XQuery. I thought maybe there is a way to use the built in digest logic like for the REST endpoint. I don't seem to get that to work. Any suggestions?
Best regards
Omar Siam
Hi and thanks for the quick response! Ok. Now I see how that works. As I see it there is no way of doing this selectively. Like having the / page not having authentication and /dba do authentication using some other method. Or if I have some service where I need to decide at runtime in XQuery code that I now would like to require the client to do digest authentication. Digest authentication cannot be hooked to the %perm annotation I think. Is that correct or am I missing something? Best regards Omar Am 14.02.2019 um 18:39 schrieb Christian Grün:
Hi Omar,
Digest authentication with RESTXQ should work out of the box. The following changes in the configuration may be required:
• You’ll need to enable digest authentication in the web.xml configuration file [1] • By default, the admin user is enabled for RESTXQ requests. You’ll need to remove the corresponding entry [2]
Best Christian
[1] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9... [2] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9...
On Thu, Feb 14, 2019 at 6:35 PM Omar Siam <Omar.Siam@oeaw.ac.at> wrote:
Hi list!
I just experimented a bit to see if there is an obvious way to use HTTP digest authentication for some RESTXQ service I plan to write. I would prefer not to reimplement the HTTP digest logic in XQuery. I thought maybe there is a way to use the built in digest logic like for the REST endpoint. I don't seem to get that to work. Any suggestions?
Best regards
Omar Siam
Hi Omar,
As I see it there is no way of doing this selectively.
Right, there is no such solution at the moment. We didn’t implement digest authentication via our permission layer so far, but it should definitely be possible (might be an interesting challenge… any volunteers out there?). Best, Christian
Like having the / page not having authentication and /dba do authentication using some other method. Or if I have some service where I need to decide at runtime in XQuery code that I now would like to require the client to do digest authentication. Digest authentication cannot be hooked to the %perm annotation I think.
Is that correct or am I missing something?
Best regards
Omar
Am 14.02.2019 um 18:39 schrieb Christian Grün:
Hi Omar,
Digest authentication with RESTXQ should work out of the box. The following changes in the configuration may be required:
• You’ll need to enable digest authentication in the web.xml configuration file [1] • By default, the admin user is enabled for RESTXQ requests. You’ll need to remove the corresponding entry [2]
Best Christian
[1] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9... [2] https://github.com/BaseXdb/basex/blob/9a089491894a01f9d8edb5d30e695f18b13bc9...
On Thu, Feb 14, 2019 at 6:35 PM Omar Siam <Omar.Siam@oeaw.ac.at> wrote:
Hi list!
I just experimented a bit to see if there is an obvious way to use HTTP digest authentication for some RESTXQ service I plan to write. I would prefer not to reimplement the HTTP digest logic in XQuery. I thought maybe there is a way to use the built in digest logic like for the REST endpoint. I don't seem to get that to work. Any suggestions?
Best regards
Omar Siam
Hi, Looks likt I got BaseX 9.1.2 to work. I configured the AUTHMETHOD in .basex to Digest In the %perm:check funktion I return 401 if I want authentication. As noted in commit https://github.com/BaseXdb/basex/commit/acd4713e99f618c8dc9dda8d5f994d0139c2... for 9.2 there is no way to send a custom WWW-Authentication header but this triggers the BaseX/jetty built in authentication, be that Basic, Digest or "Custom" So if I return a response containing this part: <http:response status="401" message="Authenticate"> {(: <http:header name="WWW-Authenticate" value=""/> Never before 9.2 used see AUTHMETHOD --> :)} <http:header name="Content-Language" value="en"/> <http:header name="Content-Type" value="text/html; charset=utf-8"/> </http:response> I can decide in code when i need a user to autheticate. Hope that keeps working. Best regards Omar Am 15.02.2019 um 16:28 schrieb Christian Grün:
Hi Omar,
As I see it there is no way of doing this selectively. Right, there is no such solution at the moment. We didn’t implement digest authentication via our permission layer so far, but it should definitely be possible (might be an interesting challenge… any volunteers out there?).
Best, Christian
Sounds good, Omar, thanks for reporting this back to the list! I believe your solution should continue to function with BaseX 9.2. On Tue, Feb 26, 2019 at 3:42 PM Omar Siam <Omar.Siam@oeaw.ac.at> wrote:
Hi,
Looks likt I got BaseX 9.1.2 to work.
I configured the AUTHMETHOD in .basex to Digest
In the %perm:check funktion I return 401 if I want authentication. As noted in commit https://github.com/BaseXdb/basex/commit/acd4713e99f618c8dc9dda8d5f994d0139c2... for 9.2 there is no way to send a custom WWW-Authentication header but this triggers the BaseX/jetty built in authentication, be that Basic, Digest or "Custom"
So if I return a response containing this part:
<http:response status="401" message="Authenticate"> {(: <http:header name="WWW-Authenticate" value=""/> Never before 9.2 used see AUTHMETHOD --> :)} <http:header name="Content-Language" value="en"/> <http:header name="Content-Type" value="text/html; charset=utf-8"/> </http:response>
I can decide in code when i need a user to autheticate.
Hope that keeps working.
Best regards
Omar
Am 15.02.2019 um 16:28 schrieb Christian Grün:
Hi Omar,
As I see it there is no way of doing this selectively.
Right, there is no such solution at the moment. We didn’t implement digest authentication via our permission layer so far, but it should definitely be possible (might be an interesting challenge… any volunteers out there?).
Best, Christian
participants (2)
-
Christian Grün -
Omar Siam