I wish this were a little easier to reuse, but take a look at https://github.com/mblakele/roxy/tree/app-level-login for one implementation. The diff is https://github.com/mblakele/roxy/commit/ea37c1a1662506783c5c1f6992be376e4c896707
A number of moving parts have to come together. For security the main ingredients are to use POST, and to use TLS (not part of that patch). The app needs a rewriter that can protect some pages, but without preventing the login page from loading. It's also important to have a default login role that has enough privileges to run the login page, but not enough to cause trouble. The redirects are in skeleton form in that roxy branch, but I think you will see how to extend it without much trouble. -- Mike On 23 Mar 2013, at 19:16 , Will Thompson <[email protected]> wrote: > I've read the documentation in the security guide, but I'm curious if there > might be a public repo somewhere that has a more "robust" implementation of > xdmp:login(). I assume it's already been done many times, but the idea is a > login controller-type piece that 1) accepts the credentials in a reasonably > secure way (I'm not 100% sure how to do this), and 2) is smart enough to > redirect the user to back to the page they originally requested if they got > punted to the login page for not being signed in, and 3) handles boilerplate > on all the non-public pages. > > -Will > _______________________________________________ > General mailing list > [email protected] > http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
