Let me state up front that if I had to do it over again, is to handle
the authN in the frontend apache that I run anyway. But if you don't do
that, or don't know apache, or whatever, here are some notes i have
saved for shiro.
if you use CLI to make sha256 hashes for passwords, ensure that there's
no newline on the end of the password. Unix tools will automatically
add one and you will exhaust your (extensive) cursing vocabulary while
you try to figure out why it doesn't work. Or maybe that was me.
echo -n
"this_password_shows_up_in_shell_history_and_process_environment" |
sha256sum
# shiro-tools-hasher is not included with fuseki
java -jar shiro-tools-hasher-1.3.0-cli.jar -a SHA-256 -p -i 1
--nogensalt -f hex
my shiro.ini:
[main]
# TLS is disabled in fuseki, we front it with apache
ssl.enabled = false
credentialsMatcher =
org.apache.shiro.authc.credential.Sha256CredentialsMatcher
iniRealm.credentialsMatcher = $credentialsMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm
username= sha256_hash_goes_here
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
/** = authcBasic,user[username]
I'm sure it is far from perfect but it works at a basic level.
I'll add that a simple sha256 hash is not a great format for encrypted
password storage. If you are storing actual end-user passwords you want
bcrypt or scrypt or pbkdf2 or something similar. These hashes take
significant resources to compute, and are therefore resistant to
bruteforce cracking if someone gets a hold of your encrypted passwords.
I had some trouble getting one of those working with shiro. Here I
decided it wasn't important, because this password was only used by a
few other servers that authenticate to it.
Mikael Pesonen wrote on 4/30/19 5:43 AM:
Ok so I need to look at shiro.ini...
Fuseki Main is same server without the web interface?
On 29/04/2019 20:01, Andy Seaborne wrote:
Are you running the war file, full server jar with UI? That stiul
uses shiro.ini.
The data-access-control.html applies to Fuseki Main.
3.10.0 works for me.
[] rdf:type fuseki:Server ;
fuseki:passwd "passwdFile";
fuseki:auth "basic" ;
fuseki:allowedUsers "*";
.
Andy
On 29/04/2019 16:26, Mikael Pesonen wrote:
Entire config.ttl:
@prefix :<http://localhost/jena_example/#> .
@prefix rdf:<http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs:<http://www.w3.org/2000/01/rdf-schema#> .
@prefix tdb:<http://jena.hpl.hp.com/2008/tdb#> .
@prefix ja:<http://jena.hpl.hp.com/2005/11/Assembler#> .
@prefix text:<http://jena.apache.org/text#> .
@prefix skos:<http://www.w3.org/2004/02/skos/core#>
@prefix fuseki:<http://jena.apache.org/fuseki#> .
## Example of a TDB dataset and text index
## Initialize TDB
[] ja:loadClass "org.apache.jena.tdb.TDB" .
tdb:DatasetTDB rdfs:subClassOf ja:RDFDataset .
tdb:GraphTDB rdfs:subClassOf ja:Model .
## Initialize text query
[] ja:loadClass "org.apache.jena.query.text.TextQuery" .
# A TextDataset is a regular dataset with a text index.
text:TextDataset rdfs:subClassOf ja:RDFDataset .
# Lucene index
text:TextIndexLucene rdfs:subClassOf text:TextIndex .
## ---------------------------------------------------------------
:text_dataset rdf:type text:TextDataset ;
text:dataset :my_dataset ;
text:index <#indexLucene> ;
.
# A TDB dataset used for RDF storage
:my_dataset rdf:type tdb:DatasetTDB ;
tdb:location "..." ;
# tdb:unionDefaultGraph true ; # Optional
.
# Text index description
<#indexLucene> a text:TextIndexLucene ;
text:directory <...> ;
text:entityMap <#entMap> ;
text:storeValues true ;
text:analyzer [ a text:StandardAnalyzer ] ;
text:queryAnalyzer [ a text:KeywordAnalyzer ] ;
text:queryParser text:AnalyzingQueryParser ;
text:multilingualSupport true ;
.
<#entMap> a text:EntityMap ;
text:defaultField "prefLabel" ;
text:entityField "uri" ;
text:uidField "uid" ;
text:langField "lang" ;
text:graphField "graph" ;
text:map (
[ text:field "prefLabel" ; text:predicate skos:prefLabel ]
[ text:field "altLabel" ; text:predicate skos:altLabel ]
) .
<#server> rdf:type fuseki:Server ;
fuseki:passwd "..." ;
fuseki:auth "basic" ;
fuseki:allowedUsers "*" ;
fuseki:services (<#service>) ;
.
<#service> rdf:type fuseki:Service ;
fuseki:name "/ds" ; #
http://host:port/ds-ro
fuseki:serviceQuery "query" ; # SPARQL query
service
fuseki:serviceQuery "sparql" ; # SPARQL query
service
fuseki:serviceUpdate "update" ; # SPARQL update
service
fuseki:serviceUpload "upload" ; # Non-SPARQL
upload service
fuseki:serviceReadWriteGraphStore "data" ; # SPARQL Graph
store protocol (read and write)
fuseki:dataset :text_dataset ;
.
On 29/04/2019 18:09, Andy Seaborne wrote:
On 29/04/2019 15:42, Mikael Pesonen wrote:
I'm using Fuseki 3.10.0 and following this guide:
http://jena.staging.apache.org/documentation/fuseki2/data-access-control.html#authentication
http://jena.apache.org/documentation/fuseki2/data-access-control.html#authentication
Fuseki server doesnt recognize --passwd from command line, and
adding this
<#server> rdf:type fuseki:Server ;
fuseki:passwd "path to passwd file" ;
fuseki:auth "basic" .
Try adding
fuseki:allowedUsers "*";
to the <#server>
Oddly, I found this quite recently and am looking at it right now.
Andy
to config.ttl doesn't make Fuseki to require login.
Are there some additional steps to make?
BR
--
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
