Now that I've solved the "how to make app users" problem ... (Thanks to
Danny and Mike !)
I now have a new and more exciting problem !
I have a protected app say running on
http://host:8012/html/myapp
I've setup a read-only executable user and the app works great.
Part of the app generates an HTML document from XML. There are image
references in that document. These images reside in the ML DB.
Using some tricks I found on the forums I use a link like this:
http://host:8012/html/common/getdbfile.xquery?uri=/SPL/20100114_fa3ed180
-298a-4f9d-9d05-15182d7218bf/5c309ddf-b803-4ee1-98f6-81f4b21d9341-04.jpg
The xquery script "getdbfile.xquery" sets the content type based on the
URI suffix and ends with a simple fn:doc($uri)
All worked great until I protected my app ... Now (of course) these
calls are failing.
My first idea is I would need to make an unprotected App Server that
only has this script and does some special checking to make sure only
images are returned (which are not a security risk ... today).
But ... I'd rather it go through the normal authentication ....
Q1) Can I pass in the user/password into the URI ? Is that supported by
ML ? (like in FTP or XCC it would be http://user:passw...@host:port )
Even if so though, thats a security hole because then the user/pass is
sent back as plain text in the HTML. ... yuck.
Q2) Is there a way to pass in my 'logged in user' authentication somehow
as a session ID or other tag which doesnt expose the user/pass in the
clear ?
I suppose I could write a custom app to do this, and use a "secret
encoding" , expose the app as an unprotected app and do magic tricks to
validate the request ...
But maybe there is something in ML that does this more directly ... ?
Suggestions welcome ...
----------------------------------------
David A. Lee
Senior Principal Software Engineer
Epocrates, Inc.
[email protected] <mailto:[email protected]>
812-482-5224
_______________________________________________
General mailing list
[email protected]
http://xqzone.com/mailman/listinfo/general
