roxy icon indicating copy to clipboard operation
roxy copied to clipboard
verified publisher icon marklogic-community

application-level authentication

Open mblakele opened this issue 13 years ago • 2 comments

There is some app-level auth code in roxy today, but it is incomplete. I have some working code that I plan to clean up, unless someone is already working on this. The code breaks into these pieces:

  • Extend req:rewrite to protect pages for which login is required. I did this by adding a new protect element to $ROXY-ROUTES, specifying the regex to protect and the exec privilege(s) required to access it. This is the best place to protect pages, because of the existing redirect handler and no-op.xqy module.
  • Extend configuration with a logged-in role and logged-in privilege, distinguished from the default login. The logged-in privilege is a good choice for the req:rewrite protection, and along with the role is useful for distinguishing a logged-in user from unprivileged access.
  • Complete login-logout form handling.

mblakele avatar Jan 31 '13 21:01 mblakele

Glad to see you're working on it. I was just working on some simple user account registration code for a Roxy demo app. The user profile data is stored in Marklogic (/users/jdoe/profile.xml) and a session token is generated for logins. I haven't put any thought into the restricted views yet.

Is there any chance that I can get an early copy of your code?

garyrusso avatar Jan 31 '13 22:01 garyrusso

Gary, see if you can integrate your profile code with the profile page in this pull request.

mblakele avatar Jan 31 '13 23:01 mblakele