> Yes - by default the admin functions the UI uses are restricted to > browsers from "localhost" (and not even the IP address). This is done > to stop remote people being able to mess around with your data. I was a > bit surprised that as much of the interface worked as it did! There is a > 403 in the developers console. It might be better to block more rather > than just the JSON-API calls to "/$/*" > > For a fixed security template file, we didn't want a default > user/password because that would be not very secret. > > It is controlled by the shiro.ini file > -------------------- > [main] > ... > localhost=org.apache.jena.fuseki.authz.LocalhostFilter > ... > [urls] > ... > ## and the rest are restricted > /$/** = localhost > > > ## If you want simple, basic authentication user/password on the > ## operations, change the line above to: > ## /$/** = authcBasic,user[admin] > -------------------- > > user='admin'; password in in the file a few lines above (which is not > very secure!) > > The Fuseki specific shiro filters fix a couple of things and are simpler > that the general ones in Shiro itself. They have been contributed to > Apache Shiro. > > Andy
Thanks a lot. However I have no much experience in Java development, so I don't known where the shiro.in file is. I searched it with find -name '*.ini' in the distribution folder, but I got no results. Thus, I suppose that it is into the jar files in the distribution. I need compile Fuseki from the source to change the shiro.ini? Daniel
