[MarkLogic Dev General] Web service user authentication with Marklogic
DJaun Maclin
dmaclin at wattnet.net
Thu Dec 9 14:34:33 PST 2010
Hey Sam,
Thanks for your input! That's exactly the way I've decided to go.
Sending the credentials in the HTTP header is what I was looking for.
Thanks again!
Dj
________________________________
From: general-bounces at developer.marklogic.com
[mailto:general-bounces at developer.marklogic.com] On Behalf Of Sam Neth
Sent: Monday, December 06, 2010 12:11 PM
To: General MarkLogic Developer Discussion
Subject: Re: [MarkLogic Dev General] Web service userauthentication
withMarklogic
Requiring session state on the server for a web service will bring you
lasting misery. Do not contemplate doing that; send credentials every
time. Create a client-side session object to encapsulate this if you
don't want to expose this in every method signature. Also consider not
reinventing authentication; sending and storing passwords in plaintext
is not a good practice; it's better to integrate with existing HTTP
authentication methods, or implement a digest-based authentication
protocol of some kind.
Sam Neth
Lead Engineer
MarkLogic Corporation
On Dec 6, 2010, at 9:59 AM, DJaun Maclin wrote:
Hi Sam and Geert,
Thanks for the reply! Your answers are very helpful for some question
coming up in this project, so I appreciate the help. I'm not worried
about the connection between the Web service and ML, but I'm more
worried about the connection between the client and the web service. I
guess my real question is how could I check my user.xml file on
Marklogic to validate access to the web service? The users on this file
will be the only ones with the power to use the web service, so I need
to make this clear to the web service. The user.xml file also could be
updated at anytime, so it's a dynamic list of users based on a
subscription.
User.xml:
<user name="username1" pass="PasSworD392" realname="Bob Smith">
<user name="JaneG" pass="KittyKatz5" realname="Jane Goodman">
Etc.
I could write a query to check the given username and password against
what I have in the ML database/file, but would I have to do this every
time a user wants to use a function of the webservice? I'm trying to
stay away from adding the username and password to the parameter of each
function in my web service (like getCitiesByState(String country, String
state, String username, String password) ), so would anyone know any
safe ways to authorize a session or a token between the web service and
client with .net? I'm aware that this is more of a .net question, but
I'm wondering if anyone has been in a situation like this before with
ML.
Please let me know if more detail is needed.
Thanks in advance
Dj
________________________________
From: general-bounces at developer.marklogic.com
[mailto:general-bounces at developer.marklogic.com] On Behalf Of Sam Neth
Sent: Monday, December 06, 2010 1:46 AM
To: General MarkLogic Developer Discussion
Subject: Re: [MarkLogic Dev General] Web service user authentication
withMarklogic
XCC/Java supports SSL. XCC.net <http://XCC.net/> currently does not.
I'm not at all sure that's relevant though, as the question seems to be
more about authentication.
Dj, can you explain the components involved here in a little more
detail?
Sam Neth
Lead Engineer
MarkLogic Corporation
On Dec 5, 2010, at 11:23 PM, Geert Josten wrote:
Hi DJ,
To my knowledge XCC communication with an XDBC app server within
MarkLogic Server is encrypted out of the box. But when in doubt you
could also use an HTTP app server configured to accept HTTPS only.
Kind regards,
Geert
drs. G.P.H. (Geert) Josten
Consultant
Daidalos BV
Hoekeindsehof 1-4
2665 JZ Bleiswijk
T +31 (0)10 850 1200
F +31 (0)10 850 1199
mailto:geert.josten at daidalos.nl
http://www.daidalos.nl/
KvK 27164984
De informatie - verzonden in of met dit e-mailbericht - is afkomstig van
Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u
dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te
verwijderen. Aan dit bericht kunnen geen rechten worden ontleend.
From: general-bounces at developer.marklogic.com
[mailto:general-bounces at developer.marklogic.com] On Behalf Of
DJaun Maclin
Sent: maandag 6 december 2010 2:56
To: general at developer.marklogic.com
Subject: [MarkLogic Dev General] Web service user
authentication with Marklogic
Hello everyone,
I need some help implementing a .NET web service that checks
a xml file in a Marklogic database to validate a user's
password and name. It would be nice if any user information
passed between the client and the web service is also
encrypted, but the data itself doesn't need to be encrypted.
Does anyone have any information that could push me in the
right direction toward securing a web service for users only?
Thanks in advance,
Dj
_______________________________________________
General mailing list
General at developer.marklogic.com
http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________
General mailing list
General at developer.marklogic.com
http://developer.marklogic.com/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20101209/48b35af8/attachment-0001.html
More information about the General
mailing list