XRX/Login and Session Management
Motivation[edit | edit source]
You want to use an XForms application to get login information and set server session variables.
Method[edit | edit source]
The XForms standard has a "secret" attribute for collecting a password. After the user fills out the login form, it is POSTed to the server.
Note that you should not use HTTP GET for passwords since the passwords will appear in the web log files as a URL parameter.
The eXist system has several functions for setting session variables. After a user logs in these session variables should be set and all subsequent XQueries can use these session variables when accessing secure resources.
Note that setting session variables is out-of-scope of the W3C XQuery 1.0 standard and each server may use slight variations of these functions. But the concepts should be very similar.
Most commonly, a session variable is used to associate the user to one or more roles. This is known as role-based access control (RBAC). This allows your XQueries to set conditional behavior based on the user's role, and avoids having to hard-code XQueries based on usernames that may change frequently. A typical role is the "admin" role or the "document-approver" role. eXist uses a UNIX style group that can be associated with a collection or a file. You can use these groups for security if you note that a collection or file can be associated with one-and-only-one group at any time. Users are frequently associated with multiple roles during a session, just as in UNIX a user can be in many groups.
Sample XForms Login Screen[edit | edit source]
A sample login XForms application is provided here:
This form may be customized to put in any legal disclaimers about the use of unauthorized systems. It can then be wrapped in an XQuery function such as local:display-login() and invoked if the user is accessing a page that they do not have authorization to access.
Sample XQuery to Check for Login[edit | edit source]
(: This is juat a rough outline based on the admin.xql program. Needs more work... :)
let $user := xdb:get-current-user()
let $pass := local:get-pass()
let $logout := local:get-login()
let $isLoggedIn := if($user eq "guest")
then
(
(: is this a login attempt? :)
if($user and not(empty($pass)))
then
(
if($user eq "guest")
then
(
(: prevent the guest user from accessing the admin webapp :)
false()
)
else
(
(: try and log the user in :)
xdb:login("/db", $user, $pass)
)
)
else
(
(: prevent the guest user from accessing the admin webapp :)
false()
)
)
else
(
(: if we are already logged in, are we logging out - i.e. set permissions back to guest :)
if ($logout)
then
(
let $null := xdb:login("/db", "guest", "guest") return
false()
)
else
(
(: we are already logged in and we are not the guest user :)
true()
)
)
return
<html>
...
</html>
XQuery Function to display session information[edit | edit source]
Once the user is logged in, the following function can be used to display session information in the upper-right corder of the screen.
(:
Display the version, SVN revision and user info in the top right corner
:)
declare function admin:info-header() as element()
{
<div class="info">
<ul>
<li>Version: { util:system-property( "product-version" ) }</li>
<li>SVN Revision: { util:system-property( "svn-revision" ) }</li>
<li>Build: {util:system-property("product-build")}</li>
<li>User: { xdb:get-current-user() }</li>
</ul>
</div>
};