Thanks a lot Andy for all your time is really appreciated, and hope
that this works could others organization on this topics
If anyone has suggestions for a more out-of-the-box, open source,
solution, please do say so.
Regarding how GraphDB do this part it is per repository (aka for Jena
per dataset) they are a web forms:
- With many inputs to make the corresponding between AD/LDAP groups and
role:
as example a minimalis forms which do:
role admin: jena_admin_group
role editor: jena_editor_group
role reader: jena_reader_group
would be a good start:
A more sophisticated version would be to get an interface (web view) to
make custom role and to retrieve theme on this form from a list.
So I would like to know if one of above solution could works:
1. Use a keycloack server as IAM service and forward role to
shiro/jena (JWT or other) ?
That's an option.
Yes Indeed I ask the question to the Shiro community but It seems I
have to write some Java code in order to bet able to use the bearer
token provided by keycloak.
So maybe a webview which allow to do this without writing code would be
great.
At this point it is not clear to me I have to get the fuseki source
code and to modify a part of the authentication.
3. others solution ?
One option is do the authn in a reverse proxy in front to Fuseki. Set
it up so Fuseki will only receive traffic from the reverse proxy.
There is more stuff out there for httpd or nginx.
To my understanding this would imply at least 2 mechanism to
authenticate one to get acces to our ontological database another one
for others services.
It is quicker to ask questions than answer them.
Yes, i agree with that and I am really happy to see your answer.
Thanks a lot for your time and all the works done in Jena
