Re: [basex-talk] RESTXQ and access blocking

Wed, 14 Jan 2015 13:53:48 -0800 

I'm reading this thread and I foresee a problem with our system. Would it
be possible to enable/disable REST access on specific databases? For
example, block access to our translation database (content being
translated), but allow access to approved content (original content and
approved translations).

On Wed, Jan 14, 2015 at 9:21 AM, Lars Johnsen <yoon...@gmail.com> wrote:

> Thanks - it worked out nicely! Just commented out the <servlet>-section on
> REST.
>
> Cheers,
> Lars
>
> 2015-01-14 15:57 GMT+01:00 Dirk Kirsten <d...@basex.org>:
>
>> Hello Lars,
>>
>> You can disable the REST interface if you do not intend to use it (and
>> you solely use RESTXQ). This can be done using your web server. In our
>> default jetty-based HTTP server you can find the servlet mapping in
>> WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
>>
>> Of course you could also secure this path using your web service (.e.g
>> requesting a HTTP authentication when accessing REST).
>>
>> Cheers,
>> Dirk
>> On 01/14/2015 03:49 PM, Lars Johnsen wrote:
>> > Hi all
>> >
>> > I was wondering how to block general access to BaseX when using RESTXQ.
>> Our
>> > javascript/jquery web-application communicates with BaseX using commands
>> > like:
>> >
>> >      $('#myobject').load('objects')
>> >
>> > where the term 'objects' is defined as a path in a .xqm-file.
>> >
>> >      declare %rest:path("/objects")
>> >
>> > However, databases are exposed using the URL "/rest" which seems built
>> into
>> > the rest-module. For example, in the javascript/jquery console (f.ex. in
>> > Chrome ), a div could be filled up with content outside of the
>> application
>> > by typing things like:
>> >
>> >      $('div').load('rest/my_database')
>> >
>> > and general queries could be made using the rest-interface
>> > http://docs.basex.org/wiki/REST.
>> >
>> > Is there a way to prevent this, while at the same time using BaseX as
>> > web-server (one way is to use BaseX only as a backend database)? Or how
>> to
>> > limit the URLs permitted?
>> >
>> >
>> > Best
>> > Lars
>> >
>>
>> --
>> Dirk Kirsten, BaseX GmbH, http://basexgmbh.de
>> |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
>> |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
>> | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle
>> `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
>>
>>
>


-- 
France Baril
Architecte documentaire / Documentation architect
france.ba...@architextus.com

Reply via email to