Menu
▾
▴
Re: [Exist-open] RESTXQ and authenticated APIs?
|
From: Adam R. <ad...@ex...> - 2013-12-20 17:34:41
|
Sadly I don't think my beat up old car would make it as far as the alps! On 20 Dec 2013 14:08, "Misztur, Chris" <CMi...@ma...> wrote: > We know what you re really doing in the Alps. > > > http://m.youtube.com/watch?v=wO3YUQ1Lfuc&desktop_uri=%2Fwatch%3Fv%3DwO3YUQ1Lfuc > > When you get back please do share your security ideas with us. > > > > On Dec 20, 2013, at 6:44 AM, "Adam Retter" <ad...@ex...> wrote: > > I'm currently skiing in the alps, but if you look at my fork of eXist > there is a branch, where the session module is supported from RestXQ, this > is a temporary measure. I want to create a set of security annotations > instead, just need time, or if people want to collaborate with me? > On 20 Dec 2013 08:57, "Dr Josef Karthauser" <jo...@ka...> wrote: > >> Hi Adam et al., >> >> I've implemented some sweet REST apis using RESTXQ; I really like it - >> nice clean APIs coupled with XFORMS for the user interface. >> >> But, the data isn't open to all, and some users need privileged access >> and others don't. >> >> So, I'm wondering what the best pattern to use is. Normally I would >> expect to use OAUTH or something to establish credentials with the REST >> side of things, but I've not found anything standard kicking around in the >> docs to serve a similar purpose. >> >> I would expect to be able to do something like this: >> >> *declare* >> %rest:GET("") >> %rest:path("/questiondb/login") >> %rest:form-param("user", "{$user}", "guest") >> %rest:form-param("password", "{$password}", "") >> %rest:produces("application/xml", "text/xml") >> *function* *login:login*(*$user* *as **xs:string**, *$password* *as * >> *xs:string**) { >> *let * *$u1* := *xmldb:get-current-user*() >> *let* *$l* := *xmldb:login*("/", *$user*, *$password*) >> *let* *$u2* := *xmldb:get-current-user*() >> *return* >> <login> <u1>{*$u1*}</u1> <l>{*$l*}</l> <u2>{*$u2*}</u2> </login> >> }; >> >> *declare* >> %rest:GET("") >> %rest:path("/questiondb/login/check") >> %rest:produces("application/xml", "text/xml") >> *function* *login:check*() { >> *if* (*xmldb:is-authenticated*()) *then* >> <yes/> >> *else* >> <no/> >> }; >> >> >> Under the standard exist code paths this would work: the 'xmldb:login' >> call would add a session cookie to the response and subsequence calls would >> automatically be authenticated. However that bridge into the RESTXQ >> request/response doesn't appear exist. >> >> Can you please recommend a light weight way for me to proceed? >> >> Many thanks, >> Joe >> >> > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open > > > ------------------------------ > > The contents of this message may be privileged and confidential. > Therefore, if this message has been received in error, please delete it > without reading it. Your receipt of this message is not intended to waive > any applicable privilege. Please do not disseminate this message without > the permission of the author. > > Please consider the environment before printing this e-mail > > |