Menu
▾
▴
Re: [Exist-open] Conflicting Logins, Missing Logout and no security in RESTXQ
|
From: Hungerburg <pc...@my...> - 2017-12-14 23:38:42
|
Hello Joshua, Just a quick guess: Historically, there are different mechanisms for authentication: - HTTP auth - auth done with cookies There is lots of literature out on the interwebs on the subject. IMO it is your task as a developer to not mix the two. If you want cookie auth, your application must be in full control at all times. You changed that, when you restricted access (required authorization) on quasi /file system/ level. The principal is not authenticated against the system (only against your app), hence the second prompt! AFAIK, REST implies a stateless server, so auth with cookies is out of the game, because it requires the server to keep a user session. Perhaps RESTXQ implies REST? In this model, the user agent (browser) keeps the state: therefore your app cannot log her out (the principal). Perhaps others on the list know tricks to bridge the gap that I am not aware of. Kind regards Peter Am 2017-12-14 um 17:22 schrieb Joshua Schäuble: > Hallo, > > I'm developing an app with RESTXQ, but the same problem also applies in > other cases of accessing restricted resources (via the Java Admin). Here > a description: > > Users can log in on a bootstrap modal via login:set-user(). This works > fine. Lets for a moment assume a dba user is logged in. > > I have some resources that are restricted to dba or owner access only > (rwx------) via the Java Admin Client. In order to describe that this is > not only a RESTXQ problem, lets assume the following two files > > /myapp/data/test.xml > > /myapp/modules/restxq-functions.xql > > > Here is what is weird: When my logged in user (login:set-user() in the > application's controller) requests via AJAX either test.xml or any > function stored in restxq-functions.xql, a second prompt (not my > bootstrap prompt!) opens, and although my user is logged in and *should > have* access rights for both these files, she has to log in again. > > What is interesting here: she can login with different credentials at > this prompt. Then two parallel logins seem to be active. The first one > (my own bootstrap modal that uses the login module), let's call it > "login1" and the second one from eXist's own prompt that fires for the > restricted files - let's call it "login2". > > Login2 seems to be connected to the cookie and the session. If I call > any security manager function *within* restXQ, login2 is used (eg. > sm:id()), if I call any security manager functions from my app module - > e.g. sm:id() within app:myfunction(), login1 is used. This is very > confusing! > > Login1 can logout by a button in the menu. This sets the logout > parameter - and a new user can login to login1 via the login module. > > This logout parameter has no effect on login2 though. In other words: I > can even close and reopen the browser (depending on my browser > settings): unless I delete the cookie manually, test.xml (and worse: the > restxq module) can still be accessed because login2 is still active, > although login1 is logged out now. If a new user logs in on the > bootstrap prompt now - a user without dba rights that should not be > allowed to access test.xml or resxq-functions.xql - this user can still > access the two files (unless I manually deleted the cookie). > > I tried to invalidate the session (session:invalidate()) and to use > xmldb:login() directly within RESTXQ whenever the logout button is set > (so when the button is clicked, also RESTXQ is called by AJAX, the > corresponding RESTXQ function "logs in" guest and invalidates the > session). But this has no effect whatsoever. After this I can still > access restxq-functions.xql, from within the registered user is still > not "guest" but whatever I entered when first prompted, I can still > access test.xml until the cookie is deleted. > > So my simple question is: how to achieve a single consistent login and > logout, that also acknowledges when files are called "directly" and not > via templating - and that also gives security to RESTXQ. > > The way it is now, I cannot logout on RESTXQ at all without emptying my > cookies in the browser - and thus every unauthorized user could > potentially call critical RESTXQ functions. I do actually want to allow > adding and deleting entire collections via RESTXQ - this is not possible > if security is not provided in RESTXQ. > > Can someone give me hints on what I am doing wrong, and what I am > missing? I'm only at the very beginning of my development, and I can > already tell that I want to use RESTXQ heavily, but only if I can > guarantee, that only authorized users can call these critical functions. > So everything on RESTXQ and security would help - but as mentioned, the > problem is not limited to RESTXQ. Although I admit, that requesting > test.xml directly via AJAX is not a realistic use-case in my app, I > don't see why a logged in user must login again to do this. > > Thanks for every hint. Sorry for the length. > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open |