Kerberos authentication will work on HTTP as long as your client code/library supports it. The Server component of the REST services should work fine, I don't know the state of Kerberos support in the various client API's (Java API, Node.js API etc.) Also note that the authentication type is not dynamically changeable per request - its a property of the app server configuration. This means that on the same port you can't both do say digest auth then switch to Kerberos auth without reconfiguring the app server.
----------------------------------------------------------------------------- David Lee Lead Engineer MarkLogic Corporation [email protected] Phone: +1 812-482-5224 Cell: +1 812-630-7622 www.marklogic.com<http://www.marklogic.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Cynthia Jiang Sent: Friday, May 08, 2015 8:00 AM To: MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] external auth What if we use Kerberos authentication, can we authenticate an external user through Kerberos with REST API? On your website, it mentioned if we use application level authentication, a user can be authenticated by Kerberos and a Kerberos session ticket is used at a time determined by the App Server to authenticate the user to access MarkLogic Server. The user must exist in MarkLogic, where the user's 'external name' matches the Kerberos User Principal. We have a web application that users can access, and we'd like to make REST calls from the web application to MarkLogic, can a user be authenticated through Kerberos so we can restrict a user's access to certain documents based on their account? Thanks, Cynthia Jiang RDA Corp From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Hunter Sent: Thursday, May 7, 2015 9:56 PM To: MarkLogic Developer Discussion Subject: Re: [MarkLogic Dev General] external auth Be very careful in putting the REST API on a port with public access. If you do, anyone with database credentials will be able to have direct access to the database. The REST API isn't intended for public exposure. Same as an XDBC port, it's for internal access. -jh- On May 8, 2015, at 1:40 AM, David Ennis <[email protected]<mailto:[email protected]>> wrote: HI. This type of scenario seems very possible with the Enhanced HTTP erver configuration options available in Version 8. One of the most obvious out-of-the-box benefits of the new server rewrite engine is the fact that you need not have a separate port for your web app and REST API, for example. Consider also that you have control over quite a bit - including switching module databases and content databases as part of the rewrite rules - which may be of benefit to you for what you describe. http://developer.marklogic.com/features/enhanced-http Kind Regards, David Ennis David Ennis Content Engineer [HintTech] <http://www.hinttech.com/> Mastering the value of content creative | technology | content Delftechpark 37i 2628 XJ Delft The Netherlands T: +31 88 268 25 00 M: +31 63 091 72 80 [http://www.hinttech.com]<http://www.hinttech.com/> [http://www.hinttech.com/signature/Twitter_HintTech.png] <https://twitter.com/HintTech> [http://www.hinttech.com/signature/Facebook_HintTech.png] <http://www.facebook.com/HintTech> [http://www.hinttech.com/signature/Linkedin_HintTech.png] <http://www.linkedin.com/company/HintTech> On 7 May 2015 at 17:28, cyanline llc <[email protected]<mailto:[email protected]>> wrote: Hello, Looking for a bit of philosophical help here. We're deploying rest-apps with Roxy to one site. We have built a second site where users register, login, and perform a number of actions. Then, when the user is ready to use the marklogic rest-app, we pass them from the second site to the marklogic site. We would like that the user need not authenticate themselves again *and* that a user only has access to their rest-app, but not the others. With this current setup, we can see that we either need to pass the session data from one server to another, or have a third-party server track and share session data with the other 2 servers (ie ldap). Is ldap the way to go or are we way off with this current setup/there is a better way to do this? Thank you _______________________________________________ General mailing list [email protected]<mailto:[email protected]> Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected]<mailto:[email protected]> Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
