We've a custom rigging of Sugar (using GWT for various front end stuff), and we use the SOAP API for much of our querying (vs. directly to the DB).
One of the API calls to check credentials is get_available_modules, which returns all available modules for a given user. How could a user have access to a module in the web interface, but not via a SOAP call (same session id?).
Not entirely sure on your question. Do you want a user to hve access to one set of modules from web and another set via soap? Or is there a difference on you setup?
First off, there should not be a difference between a user's available modules on web and soap calls.
If you want a different set for each access method, you need to change e.g. "get_available_modules" in the soap web service. One crude approch could be to make an override array in config_override.php abd check against that array in the soap function.
Related
We are looking to take an approach where there are service accounts in MarkLogic, but not accounts for all actual users. We would use a custom authentication token, JSWT in this case, and then via xdmp:login, elevate the calling user to the appropriate roles.
This is all fine if we create a custom HTTP server with our own rewriter to our modules. If we want to leverage the already built out REST API, is the only option to essentially create a wrapper around each of the XQuery modules that get dispatched to from the REST rewriter, in order to call the xdmp:login flow prior to fulfilling the rest of the REST api workflow? I did not see any way with the enhanced HTTP rewriter configuration to run arbitrary XQuery code before the dispatch flow.
Is this a feasible idea, or just a bad idea?
Best practice with the REST API is to use a middle tier. Exposing the REST API directly to your end users is analogous to doing so with an ODBC connection -- something you generally wouldn't do.
My suggestion is to set up a middle tier and use that gather credentials, then login as needed.
You can modify the out-of-the-box REST API endpoints to perform an xdmp:login, but of course that creates complexity when performing an upgrade, and when deploying an app. That's really a worst-case scenario.
Are you able to map all of your users to a much smaller set of ML users, perhaps on the order of dozens? Then a middle tier can do something similar to xdmp:login - it can look at the user's profile and determine which ML user to connect to ML with. That's not quite as flexible as xdmp:login, which lets you pick any roles you want without creating a user as a holder for them, but it may do the trick.
I recently succeeded in building a page that loads data via an ajax get call to a REST interface (that runs on my server) and then uses the data to construct a map overlay for Google maps via JS.
I managed to do this but now I have concerns about the security of my data. Obviously everybody could just use curl to load the overlay data from my REST interface. However, I do not want to make my data so easily available, since they are kind of the business value of my page...
Is saw many solutions on the web that all require a login of the user.
However, this should not be required on my page.
Is there an easy solution to this problem, without the user having to use a log in or something? Basically I only want to allow my web application to query data from my REST interface, but not anyone else.
One solution that came to my head is to pass the data directly from php into JS, when the page is loaded. However this looks like a real ugly solution to me...
On a RESTful interface, I suppose you want to avoid login into a session. You have basically 2 more ways :
use IP address filtering if the web application run on a private network with known IP addresses
pass an identification token in the request headers or as a request parameter. The token has to be passed along in all the requests.
I have two set of users one is anonymous and another is valid users (authenticated using cas server). So for anonymous I don't have ticket but for users I have the ticket. But I want to make the resource available to both with some nifty feature will be provided to valid users. My resources are available as REST services. Therefore between two calls (say /foo and /bar. here /foo must be called before /bar) I have to check whether the calling user is same or not?
Therefore I would like to generate a ticket for anonymous user also. so that in /bar, I can check same anonymous user has actually request /bar.
Can anyone suggest how can I solve the above problem using apache shiro.
Also as I have very little knowledge about Apache shiro, I would like to know which one is better apache shiro or spring security (in case of REST services developed using jersey 2)
I am a newbie who is writting ASP.Net web API service for the very first time. The issue I am having is how to pass user information or different contexts via service request. For example I want to pass user context (i.e username, user preferences etc.) and lets say security context (i.e. api key, secret etc.) thru each service call. The options I found
1. using Query string
2. custom HTTP headers
3. overload authorization header to pass Jason object
4. cookie
I ditch the idea of using query string as it has 2k limitation, custom header could be ripped by proxy services, dont want to use cookie,creating a jason object of all the context and send it via auth header can work but seems like not a smart way. Any idea? what is the best way of passing those extra information.
I really appreciate if someone help me with some examples.
I'm developing a public rest api and want to use it for my company's web client as well (jquery). That would work since it would be on the same server.
Howerver, my question is whether rest is even supposed to be consumed by JavaScript? What about authentication and authorization and session information. Since rest is not supposed to maintain any session state.
Can I store all the state, create the response with the token etc within JavaScript?
or should I create another plain servlet layer ontop of my own rest api as a rest client which could be richer (break rest principles)
Create an extra version for the rest api that allows some less rest-like behavior (session data) and maybe even keep that private.
as a side question I'm also wondering if there's any performance difference between using say Jersey vs regular servlets processing calls? In other words, can I use Jersey as a servlet replacement (to take advantage of the format conversions).