[
https://issues.apache.org/jira/browse/CLEREZZA-447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13006253#comment-13006253
]
Henry Story commented on CLEREZZA-447:
--------------------------------------
I have been playing in my sandbox with adding the following code to
org.apache.clerezza.platform.typerendering.scala.RenderedPage
def fetch(uri: UriRef) : GraphNode = {
val webSrvc = AccessController.doPrivileged(new
PrivilegedAction[WebDescriptionProvider] {
def run: WebDescriptionProvider = {
val cntxt: BundleContext =
requestProperties.bundleContext
var serviceReference: ServiceReference =
cntxt.getServiceReference("org.apache.clerezza.platform.users.WebDescriptionProvider")
if (serviceReference != null) {
return
cntxt.getService(serviceReference).asInstanceOf[WebDescriptionProvider]
} else {
return null
}
}
})
//This should return not a graph, but a graph surrounded with
HTTP metadata, so that the user
//connection error messages can be designed, and so on.
//The graph should be fetched as the user also if this is
required.
val grph = webSrvc.fetchSemantics(uri,Cache.Fetch)
return new GraphNode(uri,grph)
}
This should of course return a read only graph (or one which has no side
effects).
Also it should be moved into a more appropriate package. Putting it here
reduced the sideffects to my code.
With the above it is easy to have the main graph returned by the system contain
information that the system itself is comfortable declaring, while allowing UI
code to enrichen that with information found elsewhere. I am then able to
create html views on other remote graphs, which then allow the user to decide
what he believes of what other people claim about themselves.
> GraphNode not appropriate object to send from JSR311 code to Renderlet
> ----------------------------------------------------------------------
>
> Key: CLEREZZA-447
> URL: https://issues.apache.org/jira/browse/CLEREZZA-447
> Project: Clerezza
> Issue Type: Bug
> Reporter: Henry Story
>
> The main reason for Clerezza (zz) having an RDF engine is so that one can
> fetch data off the web and use it to guide the logic of what is going on.
> When that is done one has to carefully distinguish what is said or believed
> by different parts of the engine. *Who* believes *what*, is very important,
> and not making that distinction will create security holes.
> So for example the following is problematic. When a @GET annotated method
> returns a GraphNode in a JSR311 class one has to add information to
> that returned GraphNode that is going to decide which Renderlet gets called
> next. Something like
> resultNode.addProperty(RDF.`type`, PLATFORM.HeadedPage)
> resultNode.addProperty(RDF.`type`,
> CONTROLPANEL.ProfileViewerPage)
> But what if the JSR wants to return a graph that is not controlled by the
> System? What if it wants to return a graph found on the internet in order to
> display it.
> It would have to write something like this:
> @GET
> def viewPerson(@Context uriInfo: UriInfo, @QueryParam("uri") uri:
> UriRef): GraphNode = {
> val foaf: GraphNode =
> descriptionProvider.getWebDescription(uri, Cache.Fetch)
> val resultNode: GraphNode = new GraphNode(new
> UriRef(uriInfo.getAbsolutePath.toString),foaf.getGraph)
> resultNode.addProperty(RDF.`type`, PLATFORM.HeadedPage)
> resultNode.addProperty(RDF.`type`,
> CONTROLPANEL.ProfileViewerPage)
> return result
> }
> But now it has mixed system information with remote information. This means
> that if the foaf profile contained some different type information, perhaps
> set
> by a different instance of Clerezza, the ZZ instance will be randomly
> selecting one of many Renderlets, some of which were not chosen locally. This
> will completely
> confuse the display logic in the system.
> Such a JSR 311 method must instead return a more complex object, consisting
> of a system graph perhaps and a content graph. The System graph is the only
> one that should be
> considered for routing information.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
