jena-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1000696 - in /websites/staging/jena/trunk/content: ./ documentation/permissions/example.html
Date Mon, 07 Nov 2016 22:59:35 GMT
Author: buildbot
Date: Mon Nov  7 22:59:35 2016
New Revision: 1000696

Log:
Staging update by buildbot for jena

Modified:
    websites/staging/jena/trunk/content/   (props changed)
    websites/staging/jena/trunk/content/documentation/permissions/example.html

Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Nov  7 22:59:35 2016
@@ -1 +1 @@
-1768599
+1768605

Modified: websites/staging/jena/trunk/content/documentation/permissions/example.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/permissions/example.html (original)
+++ websites/staging/jena/trunk/content/documentation/permissions/example.html Mon Nov  7
22:59:35 2016
@@ -159,17 +159,17 @@ h2:hover > .headerlink, h3:hover > .head
 <p>The goal of this document is to add Jena Permissions to a fuseki deployment to restrict
access to graph data. This example will take the example application, deploy the data to a
fuseki instance and add the Jena Permissions to achieve the same access restrictions that
the example application has.</p>
 <p>To do this you will need a Fuseki installation, the Permissions Packages and a SecurityEvaluator
implementation. For this example we will use the SecurityEvaluator from the permissions-example.</p>
 <h2 id="set-up">Set up<a class="headerlink" href="#set-up" title="Permanent link">&para;</a></h2>
-<p>This example uses Fuseki 2.3.0, Permissions 3.0.0 and Apache Commons Collections
v4.</p>
+<p>This example uses Fuseki 2.3.0 or higher, Permissions 3.1.0 or higher and Apache
Commons Collections v4.</p>
 <p>Fuseki can be downloaded from:
-[https://repository.apache.org/content/repositories/snapshots/org/apache/jena/apache-jena-fuseki/]</p>
+[https://repository.apache.org/content/repositories/releases/org/apache/jena/apache-jena-fuseki/]</p>
 <p>Jena Permissions jars can be downloaded from:
-[https://repository.apache.org/content/repositories/snapshots/org/apache/jena/jena-permissions/]</p>
+[https://repository.apache.org/content/repositories/releases/org/apache/jena/jena-permissions/]</p>
 <ol>
 <li>
 <p>Download and unpack Fuseki. The directory that you unpack Fuseki into will be referred
to as the <code>Fuseki Home</code> directory for the remainder of this document.</p>
 </li>
 <li>
-<p>Download permissions 3.0.0 jar and 3.0.0 permissions-example jar.</p>
+<p>Download the permissions jar and the associated permissions-example jar.</p>
 </li>
 <li>
 <p>Copy the permissions jar and the permissions-example jar into the Fuseki Home directory.
For the rest of this document the permissions jar will be referred to as <code>permissions.jar</code>
and the permissions-example.jar as <code>example.jar</code></p>
@@ -186,8 +186,8 @@ Uncompress the <code>commons-collections
 <p>On *NIX edit fuseki-server script</p>
 <ol>
 <li>Comment out the line that reads <code>exec java  $JVM_ARGS -jar "$JAR" "$@"</code></li>
-<li>Uncomment the line that reads <code>\#\#   APPJAR=MyCode.jar</code></li>
-<li>Uncomment the line that reads <code>\#\#   java $JVM_ARGS -cp "$JAR:$APPJAR"
org.apache.jena.fuseki.cmd.FusekiCmd "$@"</code></li>
+<li>Uncomment the line that reads <code>##   APPJAR=MyCode.jar</code></li>
+<li>Uncomment the line that reads <code>##   java $JVM_ARGS -cp "$JAR:$APPJAR"
org.apache.jena.fuseki.cmd.FusekiCmd "$@"</code></li>
 <li>change <code>MyCode.jar</code> to <code>permissions.jar:example.jar:commons-collections*.jar</code></li>
 </ol>
 </li>
@@ -253,7 +253,7 @@ graph.</p>
 </pre></div>
 
 
-<p>Define the base model that contains the unsecured data.</p>
+<p>Define the base model that contains the unsecured data.  This can be any model type.
 For our example we use an in memory model that reads the exampl.ttl file.</p>
 <div class="codehilite"><pre><span class="n">my</span><span class="o">:</span><span
class="n">baseModel</span> <span class="n">rdf</span><span class="o">:</span><span
class="n">type</span> <span class="n">ja</span><span class="o">:</span><span
class="n">MemoryModel</span><span class="o">;</span>
     <span class="n">ja</span><span class="o">:</span><span class="n">content</span>
<span class="o">[</span><span class="n">ja</span><span class="o">:</span><span
class="n">externalContent</span> <span class="o">&lt;</span><span
class="n">file</span><span class="o">:./</span><span class="n">example</span><span
class="o">.</span><span class="na">ttl</span><span class="o">&gt;]</span>
     <span class="o">.</span>
@@ -277,7 +277,8 @@ graph.</p>
 </pre></div>
 
 
-<p>Define the dataset that we will use for in the server.</p>
+<p>Define the dataset that we will use for in the server.  Note that in the example
dataset only contains the single secured model, adding multiple models and mising secured
and
+unsecured models is supported.</p>
 <div class="codehilite"><pre><span class="n">my</span><span class="o">:</span><span
class="n">securedDataset</span> <span class="n">rdf</span><span class="o">:</span><span
class="n">type</span> <span class="n">ja</span><span class="o">:</span><span
class="n">RDFDataset</span> <span class="o">;</span>
     <span class="n">ja</span><span class="o">:</span><span class="n">defaultGraph</span>
<span class="n">my</span><span class="o">:</span><span class="n">securedModel</span>
<span class="o">.</span>
 </pre></div>
@@ -305,6 +306,48 @@ graph.</p>
     <span class="n">fuseki</span><span class="o">:</span><span
class="n">dataset</span>                    <span class="n">my</span><span
class="o">:</span><span class="n">securedDataset</span> <span class="o">;</span>
 <span class="o">.</span>
 </pre></div>
+
+
+<h2 id="review-of-shiroexampleevaluator">Review of ShiroExampleEvaluator<a class="headerlink"
href="#review-of-shiroexampleevaluator" title="Permanent link">&para;</a></h2>
+<p>The ShiroExampleEvaluator uses triple level permissions to limit access to the "messages"
in the graph to only those people in the message is address to or from.
+It is connected to the Shiro system by the <code>getPrincipal()</code> implementation
where it simply calls the Shiro SecurityUtils.getSubject() method to return the current 
+shiro user.</p>
+<div class="codehilite"><pre><span class="cm">/**</span>
+<span class="cm"> * Return the Shiro subject.  This is the subject that Shiro currently
has logged in.</span>
+<span class="cm"> */</span>
+<span class="p">@</span><span class="n">Override</span>
+<span class="n">public</span> <span class="n">Object</span> <span
class="n">getPrincipal</span><span class="p">()</span> <span class="p">{</span>
+    <span class="k">return</span> <span class="n">SecurityUtils</span><span
class="p">.</span><span class="n">getSubject</span><span class="p">();</span>
+<span class="p">}</span>
+</pre></div>
+
+
+<p>This example allows any action on a graph as is seen in the <code>evaluate(Object
principal, Action action, Node graphIRI)</code> and <code>evaluateAny(Object principal,
Set&lt;Action&gt; actions, Node graphIRI)</code> methods.  This is the first
permissions check.  If you wish to restrict users from specific graphs this method should
be recoded to perform the check.</p>
+<div class="codehilite"><pre><span class="cm">/**</span>
+<span class="cm"> * We allow any action on the graph itself, so this is always true.</span>
+<span class="cm"> */</span>
+<span class="p">@</span><span class="n">Override</span>
+<span class="n">public</span> <span class="n">boolean</span> <span
class="n">evaluate</span><span class="p">(</span><span class="n">Object</span>
<span class="n">principal</span><span class="p">,</span> <span
class="n">Action</span> <span class="n">action</span><span class="p">,</span>
<span class="n">Node</span> <span class="n">graphIRI</span><span
class="p">)</span> <span class="p">{</span>
+    <span class="c1">// we allow any action on a graph.</span>
+    <span class="k">return</span> <span class="n">true</span><span
class="p">;</span>
+<span class="p">}</span>
+
+<span class="cm">/**</span>
+<span class="cm"> * As per our design, users can access any graph.  If we were to implement
rules that </span>
+<span class="cm"> * restricted user access to specific graphs, those checks would be
here and we would </span>
+<span class="cm"> * return &lt;code&gt;false&lt;/code&gt; if they were
not allowed to access the graph.  Note that this</span>
+<span class="cm"> * method is checking to see that the user may perform ANY of the
actions in the set on the</span>
+<span class="cm"> * graph.</span>
+<span class="cm"> */</span>
+<span class="p">@</span><span class="n">Override</span>
+<span class="n">public</span> <span class="n">boolean</span> <span
class="n">evaluateAny</span><span class="p">(</span><span class="n">Object</span>
<span class="n">principal</span><span class="p">,</span> <span
class="n">Set</span><span class="o">&lt;</span><span class="n">Action</span><span
class="o">&gt;</span> <span class="n">actions</span><span class="p">,</span>
<span class="n">Node</span> <span class="n">graphIRI</span><span
class="p">)</span> <span class="p">{</span>
+    <span class="k">return</span> <span class="n">true</span><span
class="p">;</span>
+<span class="p">}</span>
+</pre></div>
+
+
+<p>The other overridden methods are implemented using one of three (3) private methods
that evaluate if the user should have access to the data based on our security design.
+To implement your security design you should understand what each of the methods checks.
 See the <a href="../../javadoc/permissions/org/apache/jena/permissions/SecurityEvaluator.html">SecurityEvaluator</a>
javadocs.</p>
   </div>
 </div>
 



Mime
View raw message