Re: [basex-talk] WWW-Authenticate header

2019-02-04 Thread Johannes Bauer 

Hi Christian,

I've tested this and the multiple %perm:allow annotations again with the 
latest snapshot.

Both are working as expected now.

Thank you for taking care of this.

Best regards
Johannes

Am 04.02.2019 um 14:57 schrieb Christian Grün:

Hi Johannes,

If the error code 401 is returned, the BaseX standard authentication
values had been assigned to the response header.

I have revised this a little: With the latest snapshot, the BaseX
authentication header will only be assigned if the user does not
provide a custom header in the RESTXQ response. A latest snapshot is
online [1].

Best,
Christian

[1] http://files.basex.org/releases/latest/




On Wed, Jan 30, 2019 at 9:16 AM Johannes Bauer  wrote:

Hello BaseX Team,

I'm trying to implement a RESTXQ service that uses JWT tokens for authorization 
and authentication.
For this purpose I use a permission check annotated function that validates the 
token and returns a 401 response if the token is invalid or missing.

declare %perm:check('/admin', '{$perm}') function security:check-admin($perm)
{
let $token := $perm?authorization
where empty($token)
return

   
  
   

};

When I call the endpoint without token I get the expected response but the 
WWW-Authenticate header is different to the one that I have defined:

WWW-Authenticate Basic realm="BaseX"

Is there a way to override the BaseX provided header?

Thanks for your input.

Best regards
Johannes

Re: [basex-talk] %perm:allow annotation

2019-02-04 Thread Christian Grün 
Good catch! It has been fixed in the latest snapshot.



On Wed, Jan 30, 2019 at 3:42 PM Johannes Bauer  wrote:
>
> Hi again,
>
> I've another question about the %perm:allow annotation. Is it possible to use 
> multiple instances of this annotation?
>
> My expectation would be that any of the listed roles is allowed to call the 
> function. For example:
>
> declare
> %rest:GET
> %rest:path("/multi")
> %perm:allow("role1")
> %perm:allow("role2")
> function test:multi() as item()*
> {
>multi
> };
>
> declare
> %rest:GET
> %rest:path("/single")
> %perm:allow("role1")
> function test:single() as item()*
> {
>single
> };
>
>
>
> declare %perm:check('/admin', '{$perm}') function test:check($perm)
> {
>()
> };
>
>
> When I call /multi the first time I get a response. But all further calls to 
> /multi will result in a NullPointerException.
> Calls to /single do not have this problem.
>
> My error stacktrace is:
>
> java.lang.NullPointerException
> at org.basex.util.list.ObjectList.finish(ObjectList.java:235)
> at org.basex.query.value.seq.StrSeq.get(StrSeq.java:64)
> at org.basex.http.restxq.RestXqPerm.map(RestXqPerm.java:43)
> at org.basex.http.restxq.RestXqFunction.bind(RestXqFunction.java:263)
> at org.basex.http.restxq.RestXqResponse.bind(RestXqResponse.java:61)
> at org.basex.http.web.WebResponse.create(WebResponse.java:53)
> at org.basex.http.restxq.RestXqServlet.run(RestXqServlet.java:50)
> at org.basex.http.BaseXServlet.service(BaseXServlet.java:59)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
> at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
> at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
> at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
> at 
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
> at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
> at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
> at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
>
> I think the error is at the location where he parses the perm:allow 
> annotations.
>
> Best regards
> Johannes
>

Re: [basex-talk] WWW-Authenticate header

2019-02-04 Thread Christian Grün 
Hi Johannes,

If the error code 401 is returned, the BaseX standard authentication
values had been assigned to the response header.

I have revised this a little: With the latest snapshot, the BaseX
authentication header will only be assigned if the user does not
provide a custom header in the RESTXQ response. A latest snapshot is
online [1].

Best,
Christian

[1] http://files.basex.org/releases/latest/




On Wed, Jan 30, 2019 at 9:16 AM Johannes Bauer  wrote:
>
> Hello BaseX Team,
>
> I'm trying to implement a RESTXQ service that uses JWT tokens for 
> authorization and authentication.
> For this purpose I use a permission check annotated function that validates 
> the token and returns a 401 response if the token is invalid or missing.
>
> declare %perm:check('/admin', '{$perm}') function security:check-admin($perm)
> {
>let $token := $perm?authorization
>where empty($token)
>return
>
>   
>  
>   
>
> };
>
> When I call the endpoint without token I get the expected response but the 
> WWW-Authenticate header is different to the one that I have defined:
>
> WWW-Authenticate Basic realm="BaseX"
>
> Is there a way to override the BaseX provided header?
>
> Thanks for your input.
>
> Best regards
> Johannes
>

Re: [basex-talk] Global lock = false and parallel update processes to different DBs

2019-02-04 Thread Christian Grün 
Hi France,

> I noticed that the latest version of BaseX lost this feature and nothing 
> seems to replace it. I'm trying to improve performance of batch processes and 
> I was counting on that feature a lot. Any change it will come back or that 
> something equivalent will come?

With BaseX 9, we removed the classical GLOBALLOCK option (i.e.,
GLOBALLOCK = false is standard now).

> get db:open($lang)/*
> process
> save to db:open('staging-' || $lang)

The name of your database may be specified as static string in your
query (no matter if you use BaseX 8 or 9):

  get db:open('de')/*
  process
  save to db:open('staging-de')

Did you try this already?
Christian