xml-xindice-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Gritsenko <va...@reverycodes.com>
Subject Re: access control in xindice
Date Tue, 10 Feb 2004 16:05:56 GMT
Honglin Ye wrote:

> Hi, Vadim,
>     While I am trying to convince people here we can use
> Xindice as our storage component, I found one thing we need
> but not yet in xindice.
>     We need the access control. We can not let people who knows
> the host and port to freely query xindice.


But, generally speaking, it should be behind a firewall.


>     I think it should be sufficient to enforce a 'password on 
> collections'.
> If a password is set at the collection create time, the access to the 
> collection
> and all the child collections later on requires the password. This can be
> down on commandline and on programming call.
>      Do I think about the right thing?


Not exactly. The easiest (fastest) way to add simple username/password 
protection is to do so by protecting xindice webapp in web.xml.

More complicated (and better) solution will use username/password 
provided via Database.getCollection() and give/reject access to the 
collection based on the authentication (password matches username), and 
authorization (user is in the group which has access to the collection) 
rules.

Authorization / authentication information should be stored in the db 
itself, in system collection.

Vadim


Mime
View raw message