Database Reference
In-Depth Information
CHAPTER 8
Security
eXist integrates a comprehensive and flexible security subsystem within the core of
the database that cascades up through each API and web server. It is impossible to
access any resource or collection within eXist without authorization or access rights
being granted to the resource.
eXist at its simplest uses classic username and password credentials for authentica‐
tion. The essence of its security model was very much inspired by the Unix permis‐
sions model. Permissions are applied at a resource level, and each resource and
collection in the database must have Unix-style permissions assigned to it; these are
validated when the resource or collection is accessed.
The Unix-style security model in eXist is adequate for many applications, but it does
not scale well when you have hundreds of users with different roles. While you can
solve this by creating many groups containing many permutations of user accounts,
this quickly becomes unmanageable, and if you cannot understand your own security
model you have little chance of asserting its integrity. For larger uses, eXist supports
ACLs (access control lists), which allow you to place many modes for different users
and groups onto the same document or collection (see
“Access Control Lists” on page
156
). eXist does not yet natively implement RBAC (role-based access control), but it's
not too hard to add this at your application layer as an organization of ACLs.
eXist's Security Manager also permits pluggable modules that provide an
authentication realm, and through this mechanism eXist can authenticate against
external providers to better integrate with your existing infrastructure. eXist provides
a default internal realm in which user and group credentials are stored in a set of
XML documents within a special collection in the database,
/db/system/security/exist
.
Search WWH ::
Custom Search