Hi chaps,
I actually had on my list to produce a security set of XQuery
Annotations. Keeping in mind my current work load, it is unlikely that
I will get around this until Feb/Mar at the earliest.
I use the term 'security' rather than 'authentication', as I think
that security encompases authentication and more. In addition I think
this should be standalone to RESTXQ, lets call it SecurityXQ, but you
should certainly be able to use the annotations together in the same
context.
In my mind, the first priority would be to establish a simple user
model which would work for varied authentication providers, this
should also include defining the meaning of roles and/or groups. The
main reason why this should be separate to RESTXQ, is that I think
security also applies to any XQuery, not just an XQuery run in a web
context. There may be web-specific security extensions, e.g.
basic/digest/challenge method annotations and SSL/TLS stuff etc.
e.g. something like -
%security:require-user("bob", "fred", "frank")
%security:require-group("my-users")
The above would be an OR of the two credential sets.
On 15 November 2012 13:37, Christian Grün <[email protected]> wrote:
> Hi Daniel,
>
> you may be interested to hear that we already has some first thoughts
> on extending the RESTXQ API with an authentication module. As you
> indicated, those "if" constructs are the current way to go. While it
> works fine in practice, I agree it’s not the way it should be. The
> reasons why we didn’t choose a solution yet is that..
>
> -- we didn’t have enough time to put more focus on that issue
>
> -- we didn’t want to restrict ourselves to the uses cases we’re
> currently aware of
>
> Maybe we should start off with a little spec describing what the %auth
> annotations should look like, where the authentication functionality
> will be located, and how we can ensure that also protocols like OAuth
> can be supported. As soon as we have specified the basics, the
> implementation shouldn’t cause too much headache. If you have some
> concrete ideas, your input is more than welcome!
>
> In the end, I’d like to get the enhancement into the work-in-progress
> RESTXQ draft (the exquery GitHub issue tracker is probably the best
> platform to discuss such extensions and propose extensions [1]). This
> is why I cc'ed this mail to Adam Retter..
>
> Christian
>
> [1] https://github.com/exquery/exquery/issues
> ___________________________
>
> On Wed, Nov 14, 2012 at 3:58 PM, Daniel Kvasnička
> <[email protected]> wrote:
>> Hi folks,
>>
>> I'd like to write an app using RESTXQ and I'd like to auth users using a
>> regular form-based authentication and then on some XQuery functions check
>> for an existing user session (and possibly user roles). I'd also like to add
>> some social media login using OAuth (later).
>> My question is - is it somehow possible to do this in a declarative way? For
>> example custom annotations on XQuery handlers? Something like
>> %auth:roles-allowed("admin")
>> I definetly don't want to "if" at the beginning of every function that
>> should be protected. No problem with implementing this in Java or XQuery.
>> Just tell me how to approach this orthogonal concern in a reasonable way...
>> Or should I equal app users to BaseX users and leverage Basex auth?
>>
>> Any tips appreciated (yes, you can even tell me BaseX RESTXQ is not a good
>> tool for that).
>>
>> Daniel
>>
>> --
>> danielkvasnicka.net
>>
>> _______________________________________________
>> BaseX-Talk mailing list
>> [email protected]
>> https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
--
Adam Retter
skype: adam.retter
tweet: adamretter
http://www.adamretter.org.uk
_______________________________________________
BaseX-Talk mailing list
[email protected]
https://mailman.uni-konstanz.de/mailman/listinfo/basex-talk
