RestXQ security

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

RestXQ security

remy.brefort
Hi,

looking for best practices to secure my RestXQ access, I found some interesting discussions in the mailing list (most from 2014) but no built in solution.
Is there something new about it ?

Best regards

Remy

 



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: RestXQ security

Adam Retter
Remy,

Can you elaborate on what you mean by secure?

If you use appropriate permissions on your XQuery Modules, then eXist
should enforce a security model requiring authentication etc.

On 24 April 2017 at 13:07,  <[hidden email]> wrote:

> Hi,
>
> looking for best practices to secure my RestXQ access, I found some
> interesting discussions in the mailing list (most from 2014) but no built in
> solution.
> Is there something new about it ?
>
> Best regards
>
> Remy
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open
>



--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: RestXQ security

remy.brefort
Hi Adam,

the goal of my app is to edit xml data according to a custom schema, using eXist-db 3.1.1.
It uses RestXQ with GET and POST requests. I find RestXQ very usefull and easy to implement.
The access is restricted to a group of users who have rwx rights. But RestXQ requests are executed as guest and result in an "error 500".
I partially solved the problem using xmldb:login function within my requests and restricting access to the requests from the interface with javascript according to the login of the user.
But I'm not satisfied because somebody can launch directly the request by URL and execute it with the rights given by the xmldb:login function.
I saw in a previous discussion something about %rest:header-param and %rest:cookie-param. Does this can help to resolve my problem or is there another approach ?

Best regards

Remy



De: "Adam Retter" <[hidden email]>
À: "remy brefort" <[hidden email]>
Cc: "exist-open" <[hidden email]>
Envoyé: Mercredi 26 Avril 2017 04:45:43
Objet: Re: [Exist-open] RestXQ security

Remy,

Can you elaborate on what you mean by secure?

If you use appropriate permissions on your XQuery Modules, then eXist
should enforce a security model requiring authentication etc.

On 24 April 2017 at 13:07,  <[hidden email]> wrote:

> Hi,
>
> looking for best practices to secure my RestXQ access, I found some
> interesting discussions in the mailing list (most from 2014) but no built in
> solution.
> Is there something new about it ?
>
> Best regards
>
> Remy
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open
>



--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: RestXQ security

Adam Retter
> the goal of my app is to edit xml data according to a custom schema, using
> eXist-db 3.1.1.
> It uses RestXQ with GET and POST requests. I find RestXQ very usefull and
> easy to implement.

:-)

> The access is restricted to a group of users who have rwx rights. But RestXQ
> requests are executed as guest and result in an "error 500".

If the permissions on your XQuery Library Module (which houses your
RESTXQ Resource Functions) prohibit guest access, then RESTXQ will not
execute the query, instead it will cause eXist to prompt for
authentication (unless you have sent auth credentials pre-challenge),
if the credentials are valid the query will be executed. You can also
combine this with the setUid and setGid flag in the mode to control
who the query is executed as if you need that.


> I partially solved the problem using xmldb:login function within my requests
> and restricting access to the requests from the interface with javascript
> according to the login of the user.
> But I'm not satisfied because somebody can launch directly the request by
> URL and execute it with the rights given by the xmldb:login function.
> I saw in a previous discussion something about %rest:header-param and
> %rest:cookie-param. Does this can help to resolve my problem or is there
> another approach ?

I am not sure still why you don't just use the mode on the XQuery
Library Module as described above? Perhaps you could give give me some
very simple examples of what you want to achieve?


--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: RestXQ security

remy.brefort
Hi Adam,

All is OK. Suppressing the guest access to my XQuery Library Module resolves my problem.

Thanks a lot

Remy


De: "Adam Retter" <[hidden email]>
À: "remy brefort" <[hidden email]>
Cc: "exist-open" <[hidden email]>
Envoyé: Lundi 1 Mai 2017 09:32:00
Objet: Re: [Exist-open] RestXQ security

> the goal of my app is to edit xml data according to a custom schema, using
> eXist-db 3.1.1.
> It uses RestXQ with GET and POST requests. I find RestXQ very usefull and
> easy to implement.

:-)

> The access is restricted to a group of users who have rwx rights. But RestXQ
> requests are executed as guest and result in an "error 500".

If the permissions on your XQuery Library Module (which houses your
RESTXQ Resource Functions) prohibit guest access, then RESTXQ will not
execute the query, instead it will cause eXist to prompt for
authentication (unless you have sent auth credentials pre-challenge),
if the credentials are valid the query will be executed. You can also
combine this with the setUid and setGid flag in the mode to control
who the query is executed as if you need that.


> I partially solved the problem using xmldb:login function within my requests
> and restricting access to the requests from the interface with javascript
> according to the login of the user.
> But I'm not satisfied because somebody can launch directly the request by
> URL and execute it with the rights given by the xmldb:login function.
> I saw in a previous discussion something about %rest:header-param and
> %rest:cookie-param. Does this can help to resolve my problem or is there
> another approach ?

I am not sure still why you don't just use the mode on the XQuery
Library Module as described above? Perhaps you could give give me some
very simple examples of what you want to achieve?


--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: RestXQ security

Adam Retter
No problem :-)

On 2 May 2017 at 14:03,  <[hidden email]> wrote:

> Hi Adam,
>
> All is OK. Suppressing the guest access to my XQuery Library Module resolves
> my problem.
>
> Thanks a lot
>
> Remy
>
> ________________________________
> De: "Adam Retter" <[hidden email]>
> À: "remy brefort" <[hidden email]>
> Cc: "exist-open" <[hidden email]>
> Envoyé: Lundi 1 Mai 2017 09:32:00
> Objet: Re: [Exist-open] RestXQ security
>
>> the goal of my app is to edit xml data according to a custom schema, using
>> eXist-db 3.1.1.
>> It uses RestXQ with GET and POST requests. I find RestXQ very usefull and
>> easy to implement.
>
> :-)
>
>> The access is restricted to a group of users who have rwx rights. But
>> RestXQ
>> requests are executed as guest and result in an "error 500".
>
> If the permissions on your XQuery Library Module (which houses your
> RESTXQ Resource Functions) prohibit guest access, then RESTXQ will not
> execute the query, instead it will cause eXist to prompt for
> authentication (unless you have sent auth credentials pre-challenge),
> if the credentials are valid the query will be executed. You can also
> combine this with the setUid and setGid flag in the mode to control
> who the query is executed as if you need that.
>
>
>> I partially solved the problem using xmldb:login function within my
>> requests
>> and restricting access to the requests from the interface with javascript
>> according to the login of the user.
>> But I'm not satisfied because somebody can launch directly the request by
>> URL and execute it with the rights given by the xmldb:login function.
>> I saw in a previous discussion something about %rest:header-param and
>> %rest:cookie-param. Does this can help to resolve my problem or is there
>> another approach ?
>
> I am not sure still why you don't just use the mode on the XQuery
> Library Module as described above? Perhaps you could give give me some
> very simple examples of what you want to achieve?
>
>
> --
> Adam Retter
>
> eXist Developer
> { United Kingdom }
> [hidden email]
> irc://irc.freenode.net/existdb
>



--
Adam Retter

eXist Developer
{ United Kingdom }
[hidden email]
irc://irc.freenode.net/existdb

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open