On 06/06/2019 00:23, Reto Gmür wrote:
Thanks Andy.
Indeed the packing/unpacking isn't necessary. Another fuseki docker
distribution we use
(https://github.com/linked-solutions/jena-docker/blob/master/jena-fuseki/Dockerfile)
is based on Stian's image and doesn't unpack fuseki. Getting the fuseki jar
via maven rather than wget however seems quite convenient so I would like to
combine the two approaches.
Yes, the maven fetch is nice.
I didn't know that Fuseki has HTTPS support. I usually set this up with the
Traefik reverse proxy. I've created a video where I describe how to set up
things with Traefik and Keycloak:
https://www.youtube.com/watch?v=4jI5GM_AOFs
I assumed the SecurityEvaluator also applies to GSP. I can run some tests. You
think that posting quads to the default graph could bypass the evaluation?
The GSP code is going to do getGraph/getDefaultGraph on the DatasetGraph.
If the graph is wrapped as org.apache.jena.permissions.graph
SecuredGraph it would work but the SecuredDatasetGraphcode does:
@Override
public Graph getDefaultGraph() {
boolean isReadAllowed =
hasReadAccess(NodeFactory.createURI(DEFAULT_GRAPH_SECURITY_NAME));
if (isReadAllowed) {
return base.getDefaultGraph();
so the returned graph is directly from the base dataset and updateable.
Maybe a GraphView will work better.
"Implement a Graph as a view of the DatasetGraph."
i.e.GraphView maps graphs operations back to the dataset quad operations
: to add a triple becomes DatasetGraph.add(quad) etc.
If that works, it will then be the same permissions security as the dataset.
Andy
Cheers,
Reto
-----Original Message-----
From: Andy Seaborne <a...@apache.org>
Sent: Thursday, May 30, 2019 4:30 PM
To: users@jena.apache.org
Subject: Re: Fuseki OIDC: OpenId authenticated Fuseki access
Hi Reto,
Looks interesting.
Fuseki Main should be able to have the Shiro filter added to it which might be
a easier way to build the server, rather than unpack/pack.
Fuseki main does have read-level access control per graph:
https://jena.apache.org/documentation/fuseki2/data-access-control#graph-acl
including HTTPS support and endpoint access control.
In Fuseki, incepting add/remove Quad is enough though I am not sure about GSP -
if the app POSTs to ?default then Fuseki does get the graph and insert data
directly, which can bypass quad operations for some link-based datasets.
Andy
On 24/05/2019 15:46, Reto Gmür wrote:
Hi Jean-Claude
OpenID Connect is an identity layer on top of OAuth 2. Our solution includes a
Fuseki DataSetAssembler that provides secured datasets, so it doesn't modifies
Fuseki but merely provides an add-on. It also includes a Shiro
AuthenticatingFilter taking care of the authentication part. We provide a
docker distribution of Fuseki with this add-ons.
Cheers,
Reto
-----Original Message-----
From: Jean-Claude Moissinac
<jean-claude.moissi...@telecom-paristech.fr>
Sent: Friday, May 24, 2019 4:22 PM
To: users@jena.apache.org
Subject: Re: Fuseki OIDC: OpenId authenticated Fuseki access
Hi Reto
Interesting
I would like to support such access (or OAuth) Is your solution a modified
version of Fuseki or the integration of some features via the Shiro support of
fuseki?
Cheers
--
Jean-Claude Moissinac
Le ven. 24 mai 2019 à 15:56, Reto Gmür <r...@factsmission.com> a écrit :
Hi all,
At FactsMission we've been experimenting with controlling Fuseki
access with OpenID (OIDC) authentication and we would like to invite
you to try out the results and give us feedback.
* You may either set up your own instance using the code available
here: https://github.com/linked-solutions/fuseki-oidc
* Or, try out our demo-instance here:
https://fuseki-oidc-sample-client.factsmission.org/
While you'll need to set up an account to try it out, you can do so
with any fake email-address as verification is disabled.
Once you logged in with OIDC you will be able to read data from any
graph but only allowed to write to a specific graph associated with your
account.
The motivation for this configuration is to allow guest-book style
(client-side) applications where user can add and edit entries in
their personal graph and see the entries from any graph.
Let me know if you find this useful or if we missed something.
Cheers,
Reto
