Hello France, I guess the easiest solution would be to run REST with a user who only has access to the allowed databases. Another way could be blocking the appropriate REST calls for some specific databases (e.g. block http://my.url/rest/not-allowed-database). However, as an arbitrary XQuery could be executed by for example using the query= parameter, this has to be blocked as well. So writing a correct filter for each and every cornercase is non-trivial, I would guess.
Cheers, Dirk On 01/14/2015 10:52 PM, France Baril wrote: > I'm reading this thread and I foresee a problem with our system. Would it > be possible to enable/disable REST access on specific databases? For > example, block access to our translation database (content being > translated), but allow access to approved content (original content and > approved translations). > > On Wed, Jan 14, 2015 at 9:21 AM, Lars Johnsen <yoon...@gmail.com> wrote: > > > Thanks - it worked out nicely! Just commented out the <servlet>-section on > > REST. > > > > Cheers, > > Lars > > > > 2015-01-14 15:57 GMT+01:00 Dirk Kirsten <d...@basex.org>: > > > >> Hello Lars, > >> > >> You can disable the REST interface if you do not intend to use it (and > >> you solely use RESTXQ). This can be done using your web server. In our > >> default jetty-based HTTP server you can find the servlet mapping in > >> WEB-INF/web.xml, where you can simply disable the servlet mapping for REST. > >> > >> Of course you could also secure this path using your web service (.e.g > >> requesting a HTTP authentication when accessing REST). > >> > >> Cheers, > >> Dirk > >> On 01/14/2015 03:49 PM, Lars Johnsen wrote: > >>> Hi all > >>> > >>> I was wondering how to block general access to BaseX when using RESTXQ. > >> Our > >>> javascript/jquery web-application communicates with BaseX using commands > >>> like: > >>> > >>> $('#myobject').load('objects') > >>> > >>> where the term 'objects' is defined as a path in a .xqm-file. > >>> > >>> declare %rest:path("/objects") > >>> > >>> However, databases are exposed using the URL "/rest" which seems built > >> into > >>> the rest-module. For example, in the javascript/jquery console (f.ex. in > >>> Chrome ), a div could be filled up with content outside of the > >> application > >>> by typing things like: > >>> > >>> $('div').load('rest/my_database') > >>> > >>> and general queries could be made using the rest-interface > >>> http://docs.basex.org/wiki/REST. > >>> > >>> Is there a way to prevent this, while at the same time using BaseX as > >>> web-server (one way is to use BaseX only as a backend database)? Or how > >> to > >>> limit the URLs permitted? > >>> > >>> > >>> Best > >>> Lars > >>> > >> > >> -- > >> Dirk Kirsten, BaseX GmbH, http://basexgmbh.de > >> |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz > >> |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: > >> | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle > >> `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22 > >> > >> > > > > -- Dirk Kirsten, BaseX GmbH, http://basexgmbh.de |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer: | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22