jena-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@apache.org
Subject jena git commit: Convert jena-permission examples (security -> permissions). Reenable module.
Date Sun, 26 Apr 2015 10:02:40 GMT
Repository: jena
Updated Branches:
  refs/heads/master 8e8eff094 -> c32457df2


Convert jena-permission examples (security -> permissions). Reenable module.


Project: http://git-wip-us.apache.org/repos/asf/jena/repo
Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/c32457df
Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/c32457df
Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/c32457df

Branch: refs/heads/master
Commit: c32457df2f1325e812b0fc95423ee2f5e6de15a0
Parents: 8e8eff0
Author: Andy Seaborne <andy@apache.org>
Authored: Sun Apr 26 11:02:20 2015 +0100
Committer: Andy Seaborne <andy@apache.org>
Committed: Sun Apr 26 11:02:20 2015 +0100

----------------------------------------------------------------------
 .../permissions/example/ExampleEvaluator.java   | 147 ++++++++++++
 .../permissions/example/SecurityExample.java    |  93 ++++++++
 .../example/ShiroExampleEvaluator.java          | 235 +++++++++++++++++++
 .../jena/security/example/ExampleEvaluator.java | 147 ------------
 .../jena/security/example/SecurityExample.java  |  93 --------
 .../security/example/ShiroExampleEvaluator.java | 235 -------------------
 pom.xml                                         |   2 +-
 7 files changed, 476 insertions(+), 476 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
new file mode 100644
index 0000000..af57c47
--- /dev/null
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.permissions.example;
+
+import java.security.Principal;
+import java.util.Set;
+
+import org.apache.http.auth.BasicUserPrincipal;
+import org.apache.jena.permissions.SecurityEvaluator;
+
+import org.apache.jena.graph.NodeFactory;
+import org.apache.jena.rdf.model.AnonId;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.Property;
+import org.apache.jena.rdf.model.RDFNode;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.ResourceFactory;
+import org.apache.jena.vocabulary.RDF;
+
+/**
+ * An example evaluator that only provides access to messages in the graph that 
+ * are from or to the principal.
+ *
+ */
+public class ExampleEvaluator implements SecurityEvaluator {
+	
+	private Principal principal;
+	private Model model;
+	private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
+	private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
+	private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
+	
+	/**
+	 * 
+	 * @param model The graph we are going to evaluate against.
+	 */
+	public ExampleEvaluator( Model model )
+	{
+		this.model = model;
+	}
+	
+	@Override
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI) {
+		// we allow any action on a graph.
+		return true;
+	}
+
+	private boolean evaluate( Object principalObj, Resource r )
+	{
+		Principal principal = (Principal)principalObj;
+		// a message is only available to sender or recipient
+		if (r.hasProperty( RDF.type, msgType ))
+		{
+			return r.hasProperty( pTo, principal.getName() ) ||
+					r.hasProperty( pFrom, principal.getName());
+		}
+		return true;	
+	}
+	
+	private boolean evaluate( Object principal, SecNode node )
+	{
+		if (node.equals( SecNode.ANY )) {
+			return false;  // all wild cards are false
+		}
+		
+		if (node.getType().equals( SecNode.Type.URI)) {
+			Resource r = model.createResource( node.getValue() );
+			return evaluate( principal, r );
+		}
+		else if (node.getType().equals( SecNode.Type.Anonymous)) {
+			Resource r = model.getRDFNode( NodeFactory.createAnon( new AnonId( node.getValue()) )
).asResource();
+			return evaluate( principal, r );
+		}
+		else
+		{
+			return true;
+		}
+
+	}
+	
+	private boolean evaluate( Object principal, SecTriple triple ) {
+		return evaluate( principal, triple.getSubject()) &&
+				evaluate( principal, triple.getObject()) &&
+				evaluate( principal, triple.getPredicate());
+	}
+	
+	@Override
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI, SecTriple triple)
{
+		return evaluate( principal, triple );
+	}
+
+	@Override
+	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI) {
+		return true;
+	}
+
+	@Override
+	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI,
+			SecTriple triple) {
+		return evaluate( principal, triple );
+	}
+
+	@Override
+	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI)
{
+		return true;
+	}
+
+	@Override
+	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI,
+			SecTriple triple) {
+		return evaluate( principal, triple );
+	}
+
+	@Override
+	public boolean evaluateUpdate(Object principal, SecNode graphIRI, SecTriple from, SecTriple
to) {
+		return evaluate( principal, from ) && evaluate( principal, to );
+	}
+
+	public void setPrincipal( String userName )
+	{
+		if (userName == null)
+		{
+			principal = null;
+		}
+		principal = new BasicUserPrincipal( userName );
+	}
+	@Override
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
b/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
new file mode 100644
index 0000000..a6f9e63
--- /dev/null
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
@@ -0,0 +1,93 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.permissions.example;
+
+import java.net.URL;
+
+import org.apache.jena.permissions.Factory;
+
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.ModelFactory;
+import org.apache.jena.rdf.model.Property;
+import org.apache.jena.rdf.model.RDFNode;
+import org.apache.jena.rdf.model.ResIterator;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.ResourceFactory;
+import org.apache.jena.rdf.model.Statement;
+import org.apache.jena.vocabulary.RDF;
+
+public class SecurityExample {
+
+	/**
+	 * @param args
+	 */
+
+	public static void main(String[] args) {
+		String[] names = { "alice", "bob", "chuck", "darla" };
+
+		RDFNode msgType = ResourceFactory
+				.createResource("http://example.com/msg");
+		Property pTo = ResourceFactory.createProperty("http://example.com/to");
+		Property pFrom = ResourceFactory
+				.createProperty("http://example.com/from");
+		Property pSubj = ResourceFactory
+				.createProperty("http://example.com/subj");
+
+		Model model = ModelFactory.createDefaultModel();
+		URL url = SecurityExample.class.getClassLoader().getResource(
+				"org/apache/jena/security/example/example.ttl");
+		model.read(url.toExternalForm());
+		ResIterator ri = model.listSubjectsWithProperty(RDF.type, msgType);
+		System.out.println("All the messages");
+		while (ri.hasNext()) {
+			Resource msg = ri.next();
+			Statement to = msg.getProperty(pTo);
+			Statement from = msg.getProperty(pFrom);
+			Statement subj = msg.getProperty(pSubj);
+			System.out.println(String.format("%s to: %s  from: %s  subj: %s",
+					msg, to.getObject(), from.getObject(), subj.getObject()));
+		}
+		System.out.println();
+
+		ExampleEvaluator evaluator = new ExampleEvaluator(model);
+		model = Factory.getInstance(evaluator,
+				"http://example.com/SecuredModel", model);
+		for (String userName : names) {
+			evaluator.setPrincipal(userName);
+
+			System.out.println("Messages " + userName + " can manipulate");
+			ri = model.listSubjectsWithProperty(RDF.type, msgType);
+			while (ri.hasNext()) {
+				Resource msg = ri.next();
+				Statement to = msg.getProperty(pTo);
+				Statement from = msg.getProperty(pFrom);
+				Statement subj = msg.getProperty(pSubj);
+				System.out.println(String.format(
+						"%s to: %s  from: %s  subj: %s", msg, to.getObject(),
+						from.getObject(), subj.getObject()));
+			}
+			ri.close();
+			for (String name : names)
+			{
+				System.out.println( String.format( "%s messages to %s", model.listSubjectsWithProperty(
pTo, name ).toList().size(), name ) );
+			}
+			System.out.println();
+		}
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
new file mode 100644
index 0000000..4ccc117
--- /dev/null
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
@@ -0,0 +1,235 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.permissions.example;
+
+import java.util.Set;
+
+import org.apache.jena.permissions.SecurityEvaluator;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.jena.graph.NodeFactory;
+import org.apache.jena.rdf.model.AnonId;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.Property;
+import org.apache.jena.rdf.model.RDFNode;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.ResourceFactory;
+import org.apache.jena.vocabulary.RDF;
+
+/**
+ * Class to use Shiro to provide credentials.
+ * 
+ * An example evaluator that only provides access to messages in the graph that 
+ * are from or to the principal.
+ *
+ */
+public class ShiroExampleEvaluator implements SecurityEvaluator {
+
+	private static final Logger LOG = LoggerFactory.getLogger(ShiroExampleEvaluator.class);
+	// the model that contains the messages.
+	private Model model;
+	private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
+	private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
+	private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
+	
+	/**
+	 * 
+	 * @param model The graph we are going to evaluate against.
+	 */
+	public ShiroExampleEvaluator( Model model )
+	{
+		this.model = model;
+	}
+	
+	/**
+	 * We allow any action on the graph itself, so this is always true.
+	 */
+	@Override
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI) {
+		// we allow any action on a graph.
+		return true;
+	}
+
+	/**
+	 * This is our internal check to see if the user may access the resource.
+	 * This method is called from the evauate(Object,SecNode) method.
+	 * A user may only access the resource if they are authenticated, and are either the
+	 * sender or the recipient.
+	 * Additionally the admin can always see the messages.
+	 * @param principalObj
+	 * @param r
+	 * @return
+	 */
+	private boolean evaluate( Object principalObj, Resource r )
+	{
+		// cast to the Subject because we know that it comes from Shiro and that
+		// our getPrincipal() method returns a Subject.
+		Subject subject = (Subject)principalObj;
+		if (! subject.isAuthenticated())
+		{
+			LOG.info( "User not authenticated");
+			return false;
+		}
+		// a message is only available to sender or recipient
+		LOG.debug( "checking {}", subject.getPrincipal());
+		Object principal = subject.getPrincipal();
+		
+		// We put the admin check here but it could have been done much earlier.
+		if ("admin".equals(principal.toString()))
+		{
+			return true;
+		}
+		// if we are looking at a message object then check the restrictions.
+		if (r.hasProperty( RDF.type, msgType ))
+		{
+			return r.hasProperty( pTo, subject.getPrincipal().toString() ) ||
+					r.hasProperty( pFrom, subject.getPrincipal().toString());
+		}
+		// otherwise user can see the object.
+		return true;	
+	}
+	
+	/**
+	 * Check that the user can see a specific node.
+	 * @param principal
+	 * @param node
+	 * @return
+	 */
+	private boolean evaluate( Object principal, SecNode node )
+	{
+		// Access to wild card is false -- this forces checks to the acutal nodes
+		// to be returned.
+		// we could have checked for admin access here and returned true since the admin
+		// can see any node.
+		if (node.equals( SecNode.ANY )) {
+			return false;  
+		}
+		
+		// URI nodes are retrieved from the model and evaluated
+		if (node.getType().equals( SecNode.Type.URI)) {
+			Resource r = model.createResource( node.getValue() );
+			return evaluate( principal, r );
+		}
+		// anonymous nodes have to be retrieved from the model as anonymous nodes.
+		else if (node.getType().equals( SecNode.Type.Anonymous)) {
+			Resource r = model.getRDFNode( NodeFactory.createAnon( new AnonId( node.getValue()) )
).asResource();
+			return evaluate( principal, r );
+		}
+		// anything else (literals) can be seen.
+		else
+		{
+			return true;
+		}
+
+	}
+	
+	/**
+	 * Evaluate if the user can see the triple.
+	 * @param principal
+	 * @param triple
+	 * @return
+	 */
+	private boolean evaluate( Object principal, SecTriple triple ) {
+		// we could have checked here to see if the principal was the admin and 
+		// just returned true since the admin can perform any operation on any triple.
+		return evaluate( principal, triple.getSubject()) &&
+				evaluate( principal, triple.getObject()) &&
+				evaluate( principal, triple.getPredicate());
+	}
+	
+	/**
+	 * As per our design, users can do anything with triples they have access to, so we just
+	 * ignore the action parameter.  If we were to implement rules restricted access based 
+	 * upon action this method would sort those out appropriately.
+	 */
+	@Override
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI, SecTriple triple)
{
+		// we could have checked here to see if the principal was the admin and 
+		// just returned true since the admin can perform any operation on any triple.
+		return evaluate( principal, triple );
+	}
+
+	/**
+	 * As per our design, users can access any graph.  If we were to implement rules that 
+	 * restricted user access to specific graphs, those checks would be here and we would 
+	 * return <code>false</code> if they were not allowed to access the graph. 
Note that this
+	 * method is checking to see that the user may perform ALL the actions in the set on the
+	 * graph.
+	 */
+	@Override
+	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI) {
+		return true;
+	}
+
+	/**
+	 * As per our design, users can access any triple from a message that is from or to them.
 
+	 * Since we don't have restrictions on actions this is no different then checking access
+	 * for a single action.
+	 */
+	@Override
+	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI,
+			SecTriple triple) {
+		return evaluate( principal, triple );
+	}
+
+	/**
+	 * As per our design, users can access any graph.  If we were to implement rules that 
+	 * restricted user access to specific graphs, those checks would be here and we would 
+	 * return <code>false</code> if they were not allowed to access the graph. 
Note that this
+	 * method is checking to see that the user may perform ANY of the actions in the set on
the
+	 * graph.
+	 */
+	@Override
+	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI)
{
+		return true;
+	}
+
+	/**
+	 * As per our design, users can access any triple from a message that is from or to them.
 
+	 * Since we don't have restrictions on actions this is no different then checking access
+	 * for a single action.
+	 */
+	@Override
+	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI,
+			SecTriple triple) {
+		return evaluate( principal, triple );
+	}
+
+	/**
+	 * As per our design, users can access any triple from a message that is from or to them.
 
+	 * So for an update they can only change triples they have access to into other triples

+	 * they have access to. (e.g. they can not remvoe themself from the messsage). 
+	 */
+	@Override
+	public boolean evaluateUpdate(Object principal, SecNode graphIRI, SecTriple from, SecTriple
to) {
+		return evaluate( principal, from ) && evaluate( principal, to );
+	}
+
+	/**
+	 * Return the Shiro subject.  This is the subject that Shiro currently has logged in.
+	 */
+	@Override
+	public Object getPrincipal() {
+		return SecurityUtils.getSubject();
+	}
+
+
+}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/security/example/ExampleEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/security/example/ExampleEvaluator.java
b/jena-permissions/src/example/java/org/apache/jena/security/example/ExampleEvaluator.java
deleted file mode 100644
index 3ed244e..0000000
--- a/jena-permissions/src/example/java/org/apache/jena/security/example/ExampleEvaluator.java
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * 
- * http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.jena.security.example;
-
-import java.security.Principal;
-import java.util.Set;
-
-import org.apache.http.auth.BasicUserPrincipal;
-import org.apache.jena.security.SecurityEvaluator;
-
-import org.apache.jena.graph.NodeFactory;
-import org.apache.jena.rdf.model.AnonId;
-import org.apache.jena.rdf.model.Model;
-import org.apache.jena.rdf.model.Property;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.rdf.model.ResourceFactory;
-import org.apache.jena.vocabulary.RDF;
-
-/**
- * An example evaluator that only provides access to messages in the graph that 
- * are from or to the principal.
- *
- */
-public class ExampleEvaluator implements SecurityEvaluator {
-	
-	private Principal principal;
-	private Model model;
-	private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
-	private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
-	private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
-	
-	/**
-	 * 
-	 * @param model The graph we are going to evaluate against.
-	 */
-	public ExampleEvaluator( Model model )
-	{
-		this.model = model;
-	}
-	
-	@Override
-	public boolean evaluate(Object principal, Action action, SecNode graphIRI) {
-		// we allow any action on a graph.
-		return true;
-	}
-
-	private boolean evaluate( Object principalObj, Resource r )
-	{
-		Principal principal = (Principal)principalObj;
-		// a message is only available to sender or recipient
-		if (r.hasProperty( RDF.type, msgType ))
-		{
-			return r.hasProperty( pTo, principal.getName() ) ||
-					r.hasProperty( pFrom, principal.getName());
-		}
-		return true;	
-	}
-	
-	private boolean evaluate( Object principal, SecNode node )
-	{
-		if (node.equals( SecNode.ANY )) {
-			return false;  // all wild cards are false
-		}
-		
-		if (node.getType().equals( SecNode.Type.URI)) {
-			Resource r = model.createResource( node.getValue() );
-			return evaluate( principal, r );
-		}
-		else if (node.getType().equals( SecNode.Type.Anonymous)) {
-			Resource r = model.getRDFNode( NodeFactory.createAnon( new AnonId( node.getValue()) )
).asResource();
-			return evaluate( principal, r );
-		}
-		else
-		{
-			return true;
-		}
-
-	}
-	
-	private boolean evaluate( Object principal, SecTriple triple ) {
-		return evaluate( principal, triple.getSubject()) &&
-				evaluate( principal, triple.getObject()) &&
-				evaluate( principal, triple.getPredicate());
-	}
-	
-	@Override
-	public boolean evaluate(Object principal, Action action, SecNode graphIRI, SecTriple triple)
{
-		return evaluate( principal, triple );
-	}
-
-	@Override
-	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI) {
-		return true;
-	}
-
-	@Override
-	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI,
-			SecTriple triple) {
-		return evaluate( principal, triple );
-	}
-
-	@Override
-	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI)
{
-		return true;
-	}
-
-	@Override
-	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI,
-			SecTriple triple) {
-		return evaluate( principal, triple );
-	}
-
-	@Override
-	public boolean evaluateUpdate(Object principal, SecNode graphIRI, SecTriple from, SecTriple
to) {
-		return evaluate( principal, from ) && evaluate( principal, to );
-	}
-
-	public void setPrincipal( String userName )
-	{
-		if (userName == null)
-		{
-			principal = null;
-		}
-		principal = new BasicUserPrincipal( userName );
-	}
-	@Override
-	public Principal getPrincipal() {
-		return principal;
-	}
-
-}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/security/example/SecurityExample.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/security/example/SecurityExample.java
b/jena-permissions/src/example/java/org/apache/jena/security/example/SecurityExample.java
deleted file mode 100644
index 0b7e0d9..0000000
--- a/jena-permissions/src/example/java/org/apache/jena/security/example/SecurityExample.java
+++ /dev/null
@@ -1,93 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * 
- * http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.jena.security.example;
-
-import java.net.URL;
-
-import org.apache.jena.security.Factory;
-
-import org.apache.jena.rdf.model.Model;
-import org.apache.jena.rdf.model.ModelFactory;
-import org.apache.jena.rdf.model.Property;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.rdf.model.ResIterator;
-import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.rdf.model.ResourceFactory;
-import org.apache.jena.rdf.model.Statement;
-import org.apache.jena.vocabulary.RDF;
-
-public class SecurityExample {
-
-	/**
-	 * @param args
-	 */
-
-	public static void main(String[] args) {
-		String[] names = { "alice", "bob", "chuck", "darla" };
-
-		RDFNode msgType = ResourceFactory
-				.createResource("http://example.com/msg");
-		Property pTo = ResourceFactory.createProperty("http://example.com/to");
-		Property pFrom = ResourceFactory
-				.createProperty("http://example.com/from");
-		Property pSubj = ResourceFactory
-				.createProperty("http://example.com/subj");
-
-		Model model = ModelFactory.createDefaultModel();
-		URL url = SecurityExample.class.getClassLoader().getResource(
-				"org/apache/jena/security/example/example.ttl");
-		model.read(url.toExternalForm());
-		ResIterator ri = model.listSubjectsWithProperty(RDF.type, msgType);
-		System.out.println("All the messages");
-		while (ri.hasNext()) {
-			Resource msg = ri.next();
-			Statement to = msg.getProperty(pTo);
-			Statement from = msg.getProperty(pFrom);
-			Statement subj = msg.getProperty(pSubj);
-			System.out.println(String.format("%s to: %s  from: %s  subj: %s",
-					msg, to.getObject(), from.getObject(), subj.getObject()));
-		}
-		System.out.println();
-
-		ExampleEvaluator evaluator = new ExampleEvaluator(model);
-		model = Factory.getInstance(evaluator,
-				"http://example.com/SecuredModel", model);
-		for (String userName : names) {
-			evaluator.setPrincipal(userName);
-
-			System.out.println("Messages " + userName + " can manipulate");
-			ri = model.listSubjectsWithProperty(RDF.type, msgType);
-			while (ri.hasNext()) {
-				Resource msg = ri.next();
-				Statement to = msg.getProperty(pTo);
-				Statement from = msg.getProperty(pFrom);
-				Statement subj = msg.getProperty(pSubj);
-				System.out.println(String.format(
-						"%s to: %s  from: %s  subj: %s", msg, to.getObject(),
-						from.getObject(), subj.getObject()));
-			}
-			ri.close();
-			for (String name : names)
-			{
-				System.out.println( String.format( "%s messages to %s", model.listSubjectsWithProperty(
pTo, name ).toList().size(), name ) );
-			}
-			System.out.println();
-		}
-	}
-
-}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/jena-permissions/src/example/java/org/apache/jena/security/example/ShiroExampleEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-permissions/src/example/java/org/apache/jena/security/example/ShiroExampleEvaluator.java
b/jena-permissions/src/example/java/org/apache/jena/security/example/ShiroExampleEvaluator.java
deleted file mode 100644
index a1eedef..0000000
--- a/jena-permissions/src/example/java/org/apache/jena/security/example/ShiroExampleEvaluator.java
+++ /dev/null
@@ -1,235 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * 
- * http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.jena.security.example;
-
-import java.util.Set;
-
-import org.apache.jena.security.SecurityEvaluator;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.subject.Subject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.jena.graph.NodeFactory;
-import org.apache.jena.rdf.model.AnonId;
-import org.apache.jena.rdf.model.Model;
-import org.apache.jena.rdf.model.Property;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.rdf.model.Resource;
-import org.apache.jena.rdf.model.ResourceFactory;
-import org.apache.jena.vocabulary.RDF;
-
-/**
- * Class to use Shiro to provide credentials.
- * 
- * An example evaluator that only provides access to messages in the graph that 
- * are from or to the principal.
- *
- */
-public class ShiroExampleEvaluator implements SecurityEvaluator {
-
-	private static final Logger LOG = LoggerFactory.getLogger(ShiroExampleEvaluator.class);
-	// the model that contains the messages.
-	private Model model;
-	private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
-	private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
-	private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
-	
-	/**
-	 * 
-	 * @param model The graph we are going to evaluate against.
-	 */
-	public ShiroExampleEvaluator( Model model )
-	{
-		this.model = model;
-	}
-	
-	/**
-	 * We allow any action on the graph itself, so this is always true.
-	 */
-	@Override
-	public boolean evaluate(Object principal, Action action, SecNode graphIRI) {
-		// we allow any action on a graph.
-		return true;
-	}
-
-	/**
-	 * This is our internal check to see if the user may access the resource.
-	 * This method is called from the evauate(Object,SecNode) method.
-	 * A user may only access the resource if they are authenticated, and are either the
-	 * sender or the recipient.
-	 * Additionally the admin can always see the messages.
-	 * @param principalObj
-	 * @param r
-	 * @return
-	 */
-	private boolean evaluate( Object principalObj, Resource r )
-	{
-		// cast to the Subject because we know that it comes from Shiro and that
-		// our getPrincipal() method returns a Subject.
-		Subject subject = (Subject)principalObj;
-		if (! subject.isAuthenticated())
-		{
-			LOG.info( "User not authenticated");
-			return false;
-		}
-		// a message is only available to sender or recipient
-		LOG.debug( "checking {}", subject.getPrincipal());
-		Object principal = subject.getPrincipal();
-		
-		// We put the admin check here but it could have been done much earlier.
-		if ("admin".equals(principal.toString()))
-		{
-			return true;
-		}
-		// if we are looking at a message object then check the restrictions.
-		if (r.hasProperty( RDF.type, msgType ))
-		{
-			return r.hasProperty( pTo, subject.getPrincipal().toString() ) ||
-					r.hasProperty( pFrom, subject.getPrincipal().toString());
-		}
-		// otherwise user can see the object.
-		return true;	
-	}
-	
-	/**
-	 * Check that the user can see a specific node.
-	 * @param principal
-	 * @param node
-	 * @return
-	 */
-	private boolean evaluate( Object principal, SecNode node )
-	{
-		// Access to wild card is false -- this forces checks to the acutal nodes
-		// to be returned.
-		// we could have checked for admin access here and returned true since the admin
-		// can see any node.
-		if (node.equals( SecNode.ANY )) {
-			return false;  
-		}
-		
-		// URI nodes are retrieved from the model and evaluated
-		if (node.getType().equals( SecNode.Type.URI)) {
-			Resource r = model.createResource( node.getValue() );
-			return evaluate( principal, r );
-		}
-		// anonymous nodes have to be retrieved from the model as anonymous nodes.
-		else if (node.getType().equals( SecNode.Type.Anonymous)) {
-			Resource r = model.getRDFNode( NodeFactory.createAnon( new AnonId( node.getValue()) )
).asResource();
-			return evaluate( principal, r );
-		}
-		// anything else (literals) can be seen.
-		else
-		{
-			return true;
-		}
-
-	}
-	
-	/**
-	 * Evaluate if the user can see the triple.
-	 * @param principal
-	 * @param triple
-	 * @return
-	 */
-	private boolean evaluate( Object principal, SecTriple triple ) {
-		// we could have checked here to see if the principal was the admin and 
-		// just returned true since the admin can perform any operation on any triple.
-		return evaluate( principal, triple.getSubject()) &&
-				evaluate( principal, triple.getObject()) &&
-				evaluate( principal, triple.getPredicate());
-	}
-	
-	/**
-	 * As per our design, users can do anything with triples they have access to, so we just
-	 * ignore the action parameter.  If we were to implement rules restricted access based 
-	 * upon action this method would sort those out appropriately.
-	 */
-	@Override
-	public boolean evaluate(Object principal, Action action, SecNode graphIRI, SecTriple triple)
{
-		// we could have checked here to see if the principal was the admin and 
-		// just returned true since the admin can perform any operation on any triple.
-		return evaluate( principal, triple );
-	}
-
-	/**
-	 * As per our design, users can access any graph.  If we were to implement rules that 
-	 * restricted user access to specific graphs, those checks would be here and we would 
-	 * return <code>false</code> if they were not allowed to access the graph. 
Note that this
-	 * method is checking to see that the user may perform ALL the actions in the set on the
-	 * graph.
-	 */
-	@Override
-	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI) {
-		return true;
-	}
-
-	/**
-	 * As per our design, users can access any triple from a message that is from or to them.
 
-	 * Since we don't have restrictions on actions this is no different then checking access
-	 * for a single action.
-	 */
-	@Override
-	public boolean evaluate(Object principal, Set<Action> actions, SecNode graphIRI,
-			SecTriple triple) {
-		return evaluate( principal, triple );
-	}
-
-	/**
-	 * As per our design, users can access any graph.  If we were to implement rules that 
-	 * restricted user access to specific graphs, those checks would be here and we would 
-	 * return <code>false</code> if they were not allowed to access the graph. 
Note that this
-	 * method is checking to see that the user may perform ANY of the actions in the set on
the
-	 * graph.
-	 */
-	@Override
-	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI)
{
-		return true;
-	}
-
-	/**
-	 * As per our design, users can access any triple from a message that is from or to them.
 
-	 * Since we don't have restrictions on actions this is no different then checking access
-	 * for a single action.
-	 */
-	@Override
-	public boolean evaluateAny(Object principal, Set<Action> actions, SecNode graphIRI,
-			SecTriple triple) {
-		return evaluate( principal, triple );
-	}
-
-	/**
-	 * As per our design, users can access any triple from a message that is from or to them.
 
-	 * So for an update they can only change triples they have access to into other triples

-	 * they have access to. (e.g. they can not remvoe themself from the messsage). 
-	 */
-	@Override
-	public boolean evaluateUpdate(Object principal, SecNode graphIRI, SecTriple from, SecTriple
to) {
-		return evaluate( principal, from ) && evaluate( principal, to );
-	}
-
-	/**
-	 * Return the Shiro subject.  This is the subject that Shiro currently has logged in.
-	 */
-	@Override
-	public Object getPrincipal() {
-		return SecurityUtils.getSubject();
-	}
-
-
-}

http://git-wip-us.apache.org/repos/asf/jena/blob/c32457df/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 9dce479..80c6b6c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -74,7 +74,7 @@
         <!--<module>jena-fuseki1</module>-->
 	<module>jena-fuseki2</module>
 
-	<!-- <module>jena-permissions</module> Lots of output and warnings -->
+	<module>jena-permissions</module>
 
         <!-- Slow to build - exclude from dev build -->
         <!-- <module>jena-jdbc</module>           -->


Mime
View raw message