You could give your default user read permission to the images (and any other content that you don't want to protect) and then you don't need to log in at all.
Normal application level login could then be used for sensitive content. See the xdmp:login() function. Wayne. On Fri, 2010-04-16 at 11:58 -0700, Lee, David wrote: > Now that I've solved the "how to make app users" problem ... (Thanks > to Danny and Mike !) > > I now have a new and more exciting problem ! > > > > I have a protected app say running on > > http://host:8012/html/myapp > > > > I've setup a read-only executable user and the app works great. > > Part of the app generates an HTML document from XML. There are image > references in that document. These images reside in the ML DB. > > Using some tricks I found on the forums I use a link like this: > > > > http://host:8012/html/common/getdbfile.xquery?uri=/SPL/20100114_fa3ed180-298a-4f9d-9d05-15182d7218bf/5c309ddf-b803-4ee1-98f6-81f4b21d9341-04.jpg > > > > The xquery script "getdbfile.xquery" sets the content type based on > the URI suffix and ends with a simple fn:doc($uri) > > > > All worked great until I protected my app ... Now (of course) these > calls are failing. > > > > > > My first idea is I would need to make an unprotected App Server that > only has this script and does some special checking to make sure only > images are returned (which are not a security risk ... today). > > > > But ... I'd rather it go through the normal authentication .... > > > > Q1) Can I pass in the user/password into the URI ? Is that supported > by ML ? (like in FTP or XCC it would be > http://user:passw...@host:port ) > > Even if so though, thats a security hole because then the user/pass is > sent back as plain text in the HTML. ... yuck. > > > > Q2) Is there a way to pass in my 'logged in user' authentication > somehow as a session ID or other tag which doesnt expose the user/pass > in the clear ? > > I suppose I could write a custom app to do this, and use a "secret > encoding" , expose the app as an unprotected app and do magic tricks > to validate the request ... > > But maybe there is something in ML that does this more directly ... ? > > > > Suggestions welcome ... > > > > > > > > > > > > > > ---------------------------------------- > > David A. Lee > > Senior Principal Software Engineer > > Epocrates, Inc. > > [email protected] > > 812-482-5224 > > > >
_______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
