Requiring session state on the server for a web service will bring you lasting misery. Do not contemplate doing that; send credentials every time. Create a client-side session object to encapsulate this if you don't want to expose this in every method signature. Also consider not reinventing authentication; sending and storing passwords in plaintext is not a good practice; it's better to integrate with existing HTTP authentication methods, or implement a digest-based authentication protocol of some kind.
Sam Neth Lead Engineer MarkLogic Corporation On Dec 6, 2010, at 9:59 AM, DJaun Maclin wrote: Hi Sam and Geert, Thanks for the reply! Your answers are very helpful for some question coming up in this project, so I appreciate the help. I’m not worried about the connection between the Web service and ML, but I’m more worried about the connection between the client and the web service. I guess my real question is how could I check my user.xml file on Marklogic to validate access to the web service? The users on this file will be the only ones with the power to use the web service, so I need to make this clear to the web service. The user.xml file also could be updated at anytime, so it’s a dynamic list of users based on a subscription. User.xml: <user name=”username1” pass=”PasSworD392” realname=”Bob Smith”> <user name=”JaneG” pass=”KittyKatz5” realname=”Jane Goodman”> Etc. I could write a query to check the given username and password against what I have in the ML database/file, but would I have to do this every time a user wants to use a function of the webservice? I’m trying to stay away from adding the username and password to the parameter of each function in my web service (like getCitiesByState(String country, String state, String username, String password) ), so would anyone know any safe ways to authorize a session or a token between the web service and client with .net? I’m aware that this is more of a .net question, but I’m wondering if anyone has been in a situation like this before with ML. Please let me know if more detail is needed. Thanks in advance Dj ________________________________ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sam Neth Sent: Monday, December 06, 2010 1:46 AM To: General MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] Web service user authentication withMarklogic XCC/Java supports SSL. XCC.net<http://XCC.net/> currently does not. I'm not at all sure that's relevant though, as the question seems to be more about authentication. Dj, can you explain the components involved here in a little more detail? Sam Neth Lead Engineer MarkLogic Corporation On Dec 5, 2010, at 11:23 PM, Geert Josten wrote: Hi DJ, To my knowledge XCC communication with an XDBC app server within MarkLogic Server is encrypted out of the box. But when in doubt you could also use an HTTP app server configured to accept HTTPS only. Kind regards, Geert drs. G.P.H. (Geert) Josten Consultant Daidalos BV Hoekeindsehof 1-4 2665 JZ Bleiswijk T +31 (0)10 850 1200 F +31 (0)10 850 1199 mailto:[email protected] http://www.daidalos.nl/ KvK 27164984 De informatie - verzonden in of met dit e-mailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of DJaun Maclin Sent: maandag 6 december 2010 2:56 To: [email protected]<mailto:[email protected]> Subject: [MarkLogic Dev General] Web service user authentication with Marklogic Hello everyone, I need some help implementing a .NET web service that checks a xml file in a Marklogic database to validate a user's password and name. It would be nice if any user information passed between the client and the web service is also encrypted, but the data itself doesn't need to be encrypted. Does anyone have any information that could push me in the right direction toward securing a web service for users only? Thanks in advance, Dj _______________________________________________ General mailing list [email protected]<mailto:[email protected]> http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected]<mailto:[email protected]> http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
