Database Reference
In-Depth Information
However, we strongly advise against this approach. eXist already has an excellent
security system that allows you to create users, log them in, organize them in groups,
restrict access to scripts and data based on their credentials, and so on. This security
system and how to work with it are described in detail in
Chapter 8
.
If you base your application's security on top of eXist's security, you have to write,
debug, and maintain less code. It also creates two levels of security:
• Your controller or other parts of your application can work with eXist's security
settings through functions in the
xmldb
and
securitymanager
extension mod‐
ules. This allows for programmatically asking questions like “Is this user allowed
to execute this XQuery module?” or “Is the current user allowed to see this data?”
If not, you could redirect the user to the appropriate error or login page.
• On top of that, eXist takes guard. So, if your application is flawed and tries to
access a nonauthorized page or data file, this is simply not allowed.
Therefore, our advice is to base your application's security on top of eXist's security.
Here are some tips and tricks:
• Create at least one specific user group for your application, and make all the
application's users a member of this group. Nonpublic pages and data should be
accessible by members of this group only. You can extend this mechanism with
multiple user groups if your application needs more fine-grained authorization.
• When you log somebody in, check whether this user is a member of the right
user group(s) first! Sometimes you have multiple applications running on the
same server, and you don't want users of Application A being able to log in to
Application B (and running into trouble afterward because the security settings
won't allow them to do anything).
Here is little login function that checks whether a user is part of a list of user
groups before attempting the login:
declare
function
local:login
(
$
user-groups
as
xs:string
*
,
$
user
as
xs:string
,
$
password
as
xs:string
)
as
xs:boolean
{
let
$
users-in-groups
as
xs:string
*
:=
for
$
group
in
$
user-groups
return
xmldb:get-users
(
$
group
)
return
if
(
empty
(
$
user-groups
)
or
(
$
user
=
$
users-in-groups
))
then
xmldb:login
(
'/db'
,
$
user
,
$
password
,
true
())
else
false
()
};
Search WWH ::
Custom Search