Tim, MarkLogic’s built-in security model is very well suited for this. You can set up users, roles, and privileges for various levels of access and provide custom application logic based on the current user’s authorization.
For example, say I have an XQuery application that allows users to ask questions, respond to questions with answers, and then have a super-user delegate a specific answer to each question as the definitive answer. (Think: Stack Overflow-lite.) Anyone should be able to browse and view the questions. Only authenticated users should be able to ask new questions or provide answers to existing questions. And only super-users can flag answers as definitive. You can think of these as privileged tasks. In MarkLogic you’d express these with execute privileges (Security > Execute Privileges in the Admin UI). Each privilege is then tied to a corresponding role. I could create three roles: public, contributor, and curator respectively. My user, Connie would be assigned the contributor role, meaning she can ask questions and respond to existing questions with answers. Curt could have the curator role, giving him the ability to flag a response as “the” answer. In my application code, I’d check if the current user has a privilege associated with his/her role. If not, I can either redirect to a login page or, using xdmp:has-privilege(), tailor my UI to what the user should be able to do. For example, on the page that displays a question, I want contributors, those that have the add-response privilege (http://examply.com/myapp/add-response) to be able to add a response using a form. If the current user does not have that privilege, I’ll display a link to the login form. In XQuery that might look something like: {if(xdmp:has-privilege("http://examply.com/myapp/add-response";, "execute")) then <form action="/question/{$id}" method="post" class="new-response"> <textarea id="response"/> </div> <div><button>Add…</button></div> </form> else <div><a href="/login">Login</a> to respond.</div> } The security documentation <http://developer.marklogic.com/pubs/4.2/books/security.pdf> is a good place for further reading. Justin Justin Makeig Senior Product Manager MarkLogic Corporation Phone +1 650 655 2387 email [email protected]<mailto:[email protected]> web www.marklogic.com<http://www.marklogic.com/> This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. From: Tim Meagher <[email protected]<mailto:[email protected]>> Reply-To: General MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Date: Wed, 19 Jan 2011 15:47:01 -0800 To: 'General MarkLogic Developer Discussion' <[email protected]<mailto:[email protected]>> Subject: [MarkLogic Dev General] Credentials & Access Control Hi Folks, I'm looking for ideas for passing in credentials as a means to restrict content access and application feature access, specifically to control whether a user can view or update web forms. I also want to log user access. I am thinking about creating a user object (XML record) that is good for the login session, but that gets back to how I am going to control user access. I could develop a .Net application using XCC or simply HTTP access to MarkLogic, or, I can bypass the rich .Net interface and develop a login page directly via an HTTP interface. I could create user accounts in MarkLogic and to assign them to different roles, or to develop application-level authentication in which I can create a user object that is mapped to content-access roles and to application feature access. I would also like to support session timeouts. The application will likely be behind a proxy server for public access. I'm wondering if there are any sample applications, best practices, and/or recommendations available accordingly. Thanks ahead of time! Tim Meagher
_______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
