[basex-talk] %perm:allow annotation
Hi again, I've another question about the %perm:allow annotation. Is it possible to use multiple instances of this annotation? My expectation would be that any of the listed roles is allowed to call the function. For example: declare %rest:GET %rest:path("/multi") %perm:allow("role1") %perm:allow("role2") function test:multi()as item()* { multi }; declare %rest:GET %rest:path("/single") %perm:allow("role1") function test:single()as item()* { single }; declare %perm:check('/admin','{$perm}')function test:check($perm) { () }; When I call /multi the first time I get a response. But all further calls to /multi will result in a NullPointerException. Calls to /single do not have this problem. My error stacktrace is: java.lang.NullPointerException at org.basex.util.list.ObjectList.finish(ObjectList.java:235) at org.basex.query.value.seq.StrSeq.get(StrSeq.java:64) at org.basex.http.restxq.RestXqPerm.map(RestXqPerm.java:43) at org.basex.http.restxq.RestXqFunction.bind(RestXqFunction.java:263) at org.basex.http.restxq.RestXqResponse.bind(RestXqResponse.java:61) at org.basex.http.web.WebResponse.create(WebResponse.java:53) at org.basex.http.restxq.RestXqServlet.run(RestXqServlet.java:50) at org.basex.http.BaseXServlet.service(BaseXServlet.java:59) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) I think the error is at the location where he parses the perm:allow annotations. Best regards Johannes
Re: [basex-talk] fn:serialize() behaviour
Hi George, Your query will probably give a better result if you wrap head and body into an html element: let $head := let $body := return serialize( element html { $head, $body }, map { "method": "html", "version": "5.0"} ) But you are right, in general it makes no sense to output the document type declaration more than once. The nifty details are defined in a separate specification [1], The document is very comprehensive, but there are still some combinations of serialization parameters that are not discussed in full depth. I noticed that BaseX and Saxon behave differently in some cases. For example, Saxon may raise SEPM0004 error for both the "xml" and "xhtml" output method, while it’s only defined for "xml" in the spec. This error code is raised if a doctype declaration is requested, and if more than one item is to be output. BaseX followed the spec more closely, but as the Saxon solution seems more consistent to me, I just updated our code: • The new snapshot [2] will output only one doctype declaration. • SEPM0004 will also be raised for the xhtml method now (not for html, though, because html serialization is generally more lax than xml/xhtml serialization). • In analogy with Saxon, I turned the implementation-defined default for the "include-content-type" parameter to "yes"; so the output of the query above will now be as follows: Cheers, Christian [1] https://www.w3.org/TR/xslt-xquery-serialization-31/ [2] http://files.basex.org/releases/latest/ > This is probably a non issue, but I thought I should report it anyway. I was > playing around with serialization options today and I noticed that: > > let $head := > let $body := > return serialize(($head, $body), map { "method": "html", "version": "5.0"}) > > will return > > > > > > > I don't think fn:serialize() is defined in the xquery spec so it's > implementation specific so I guess it also could be correct :) > > Also I have a question, I remember in the past a discussion about need for > extra testing (XQuery spec wise) in BaseX? Is this still an issue? Hopefully > I can find some time and help out with that. > > Regards, > > George
[basex-talk] WWW-Authenticate header
Hello BaseX Team, I'm trying to implement a RESTXQ service that uses JWT tokens for authorization and authentication. For this purpose I use a permission check annotated function that validates the token and returns a 401 response if the token is invalid or missing. declare %perm:check('/admin','{$perm}')function security:check-admin($perm) { let $token := $perm?authorization where empty($token) return }; When I call the endpoint without token I get the expected response but the WWW-Authenticate header is different to the one that I have defined: WWW-Authenticate Basic realm="BaseX" Is there a way to override the BaseX provided header? Thanks for your input. Best regards Johannes