Hello France,
I guess the easiest solution would be to run REST with a user who only has
access to the allowed databases. Another way could be blocking the appropriate
REST calls for some specific databases (e.g. block
http://my.url/rest/not-allowed-database). However, as an arbitrary XQuery could
be executed by for example using the query= parameter, this has to be blocked
as well. So writing a correct filter for each and every cornercase is
non-trivial, I would guess.
Cheers,
Dirk
On 01/14/2015 10:52 PM, France Baril wrote:
> I'm reading this thread and I foresee a problem with our system. Would it
> be possible to enable/disable REST access on specific databases? For
> example, block access to our translation database (content being
> translated), but allow access to approved content (original content and
> approved translations).
>
> On Wed, Jan 14, 2015 at 9:21 AM, Lars Johnsen <yoon...@gmail.com> wrote:
>
> > Thanks - it worked out nicely! Just commented out the <servlet>-section on
> > REST.
> >
> > Cheers,
> > Lars
> >
> > 2015-01-14 15:57 GMT+01:00 Dirk Kirsten <d...@basex.org>:
> >
> >> Hello Lars,
> >>
> >> You can disable the REST interface if you do not intend to use it (and
> >> you solely use RESTXQ). This can be done using your web server. In our
> >> default jetty-based HTTP server you can find the servlet mapping in
> >> WEB-INF/web.xml, where you can simply disable the servlet mapping for REST.
> >>
> >> Of course you could also secure this path using your web service (.e.g
> >> requesting a HTTP authentication when accessing REST).
> >>
> >> Cheers,
> >> Dirk
> >> On 01/14/2015 03:49 PM, Lars Johnsen wrote:
> >>> Hi all
> >>>
> >>> I was wondering how to block general access to BaseX when using RESTXQ.
> >> Our
> >>> javascript/jquery web-application communicates with BaseX using commands
> >>> like:
> >>>
> >>> $('#myobject').load('objects')
> >>>
> >>> where the term 'objects' is defined as a path in a .xqm-file.
> >>>
> >>> declare %rest:path("/objects")
> >>>
> >>> However, databases are exposed using the URL "/rest" which seems built
> >> into
> >>> the rest-module. For example, in the javascript/jquery console (f.ex. in
> >>> Chrome ), a div could be filled up with content outside of the
> >> application
> >>> by typing things like:
> >>>
> >>> $('div').load('rest/my_database')
> >>>
> >>> and general queries could be made using the rest-interface
> >>> http://docs.basex.org/wiki/REST.
> >>>
> >>> Is there a way to prevent this, while at the same time using BaseX as
> >>> web-server (one way is to use BaseX only as a backend database)? Or how
> >> to
> >>> limit the URLs permitted?
> >>>
> >>>
> >>> Best
> >>> Lars
> >>>
> >>
> >> --
> >> Dirk Kirsten, BaseX GmbH, http://basexgmbh.de
> >> |-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
> >> |-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
> >> | Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle
> >> `-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
> >>
> >>
> >
>
>
--
Dirk Kirsten, BaseX GmbH, http://basexgmbh.de
|-- Firmensitz: Blarerstrasse 56, 78462 Konstanz
|-- Registergericht Freiburg, HRB: 708285, Geschäftsführer:
| Dr. Christian Grün, Dr. Alexander Holupirek, Michael Seiferle
`-- Phone: 0049 7531 28 28 676, Fax: 0049 7531 20 05 22
