Thanks Danny. atomgraph.com should be back up now. BTW this is probably a better link in hindsight: https://jena.apache.org/documentation/fuseki2/fuseki-data-access-control.html
It seems to overlap with the shiro functionality, but has more features. On Sat, Oct 2, 2021 at 7:27 PM Danny Ayers <danny.ay...@gmail.com> wrote: > > On Mon, 27 Sept 2021 at 21:05, Martynas Jusevičius <marty...@atomgraph.com> > wrote: > > > Danny, > > > > Have you checked > > https://jena.apache.org/documentation/fuseki2/fuseki-security.html > > > Yes, thanks, but so far only really looked at wide open... > > > > > > > > Re. the first part, your Fuseki runs on http:// but your links lead to > > https://. If you fix the links to be http://, the data from Fuseki > > will still not load because the browser will not load insecure content > > for a secure page. > > > > So yes you need to put Fuseki on https:// and you need a certificate > > for it. > > > Right. Oddly there does seem to be a loophole (bug) somewhere with Chrome, > my minimal bookmarking app was doing updates to the store without running > into the insecure-inside-secure browser thing. I haven't been able to > isolate why those scripts work and others don't - some fluke. > > > > > You can get them free using LetsEncrypt: > > https://letsencrypt.org/ > > > > That is very useful information! > > Kind-of ironically, I'd set up hyperdata.it with a pay-for cert from the > DNS co. I use, gandi.net. It looked ok as https in the browser. > I was trying to get an old server-side Java app running, an RSS aggregator. > Some obscure problems, so cut the list down to just my blog, allegedly > https://hyperdata.it/blog. Got an error from Java complaining of an > incomplete cert chain. > Spent *ages* trying to figure out the right combo of cert files in Apache, > no joy. > So tried letsencrypt.org via certbot. > Initial silliness thanks to XAMPP dir layout (needed sudo certbot > --apache-ctl /opt/lampp/bin/apachectl), but then it Just Worked. > > So I've still a little fiddling to do, but solution seems in sight: I think > I'll put a cert on fuseki.hyperdata.it, tweak DNS & have Apache do a rev > proxy to :3030. > > > > > > > > If you want to consider AWS, we are currently working on pre-packaged > > Fuseki that takes one click to install, with HTTPS and all. > > https://twitter.com/namedgraph/status/1442497225444126722 > > > That will be a very pleasing thing! > > Many thanks. > > btw, atomgraph.com appears to be timing out. > > Cheers, > Danny. > > > > > > Martynas > > atomgraph.com > > > > On Mon, Sep 27, 2021 at 8:52 PM Danny Ayers <danny.ay...@gmail.com> wrote: > > > > > > Hiya, > > > > > > For the first time in ages I've got a host, want Fuseki as my main > > backend > > > but am struggling with aspects related to security. Some specific issues, > > > but broader problems, seems likely other folks have dealt with them > > > already. (I have no idea of current best practices, even less on security > > > in general). Mostly not Fuseki-specific... > > > > > > I've got Fuseki running happily on the server - behind a reverse proxy on > > > Apache, a XAMPP* install on Ubuntu. I would like to leave the endpoints > > > open for read, restricted write. > > > Right now may be totally visible at http://hyperdata.it:3030, creds: > > admin > > > sasha. > > > > > > The twistiest issue: > > > I'm serving a page, https://hyperdata.it/newsmonitor/river.html which > > > includes an Ajax query to a SPARQL endpoint on Fuseki. > > > I have an SSL certificate on the server. Browser balks. Straight http > > > called inside page served over https not liked. Something like 'mixed > > > messages'. > > > Do I really have to pay for another certificate to cover port 3030? > > > Workaround? > > > > > > More general question is how to manage sitewide access control. Ideally > > I'd > > > like something that behaves like common sites, with read-only for > > anonymous > > > and some writing available for registered users. Hooks into OAuth2 or > > > whatever would be nice, sign in via Google or whatever... > > > > > > Has anyone used (bits of) Solid as a manager for these things? > > > > > > Yeah, I want it to be magic. > > > > > > Cheers, > > > Danny. > > > > > > * Although I found the XAMPP install very easy for setting up a Wordpress > > > blog, the Apache setup is not like the standard Ubuntu version. Very > > > confusing when I wanted to go beyond that, seemingly arbitrary config > > > files included in unfamiliar places. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > ---- > > > > > > http://hyperdata.it <http://hyperdata.it/danja> > > > > > -- > ---- > > http://hyperdata.it <http://hyperdata.it/danja>