jena-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1022557 - in /websites/staging/jena/trunk/content: ./ documentation/fuseki2/fuseki-security.html
Date Thu, 21 Dec 2017 15:26:13 GMT
Author: buildbot
Date: Thu Dec 21 15:26:13 2017
New Revision: 1022557

Log:
Staging update by buildbot for jena

Modified:
    websites/staging/jena/trunk/content/   (props changed)
    websites/staging/jena/trunk/content/documentation/fuseki2/fuseki-security.html

Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Thu Dec 21 15:26:13 2017
@@ -1 +1 @@
-1818499
+1818937

Modified: websites/staging/jena/trunk/content/documentation/fuseki2/fuseki-security.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/fuseki2/fuseki-security.html (original)
+++ websites/staging/jena/trunk/content/documentation/fuseki2/fuseki-security.html Thu Dec
21 15:26:13 2017
@@ -156,38 +156,43 @@
   visibility: hidden;
 }
 h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover
> .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink
{ visibility: visible }</style>
-<p>Fuseki2 provides security by using 
-<a href="http://shiro.apache.org/">Apache Shiro</a>. This is controlled by a
-configuration file <code>shiro.ini</code> located at <code>$FUSEKI_BASE/shiro.ini</code>.
-If not found, the server initializes this with an preset initial
-configuration. This can then be replaced or edited as required. This file
+<p>Fuseki2 provides security by using  <a href="http://shiro.apache.org/">Apache
Shiro</a>.
+This is controlled by the configuration file <code>shiro.ini</code> located at
+<code>$FUSEKI_BASE/shiro.ini</code>. If not found, the server initializes with
a default
+configuration. This can then be replaced or edited as required. An existing file
 is never overwritten by the server.</p>
-<p>The default is that the SPARQL protocols are open but the administrative
-actions are limited to the localhost. "localhost" is determined by
-connecting using the <code>http://localhost:.../...</code>. It must be "localhost",
or
-<code>127.0.0.1</code> (IPv4), or <code>[::1]</code> (IPv6), not
the external IP address of the
-machine.</p>
-<p>Once shiro has been configured to perform user authentication it provides 
-a good foundation on which to implement the <a href="../permissions/">Jena Permissions</a>
-layer.  There is an <a href="../permissions/example.html">example implementation</a>

-documented in the Jena Permissions section.  The Jena Permissions layer can 
-be used to restrict access to specific graphs or triples within graphs.</p>
-<p>There is an example to enable simple user/password security; this is only
-suitable where the connection is secure, is shown <code>shiro.ini</code> file
with
-defaults user 'admin' and password 'pw'.  These should be changed before
-use.</p>
-<p>This has some use where the server is in a secure network environment with
-additional restrictions on external requests also applied.  behind a
-reverse proxy and the connection can have addition security (e.g. no access
-to URLs starting '/$/').</p>
-<p>The Apache Shiro website has documentation for creating more sophisticated
-setups.</p>
-<p>The security provided in Fuseki is not intended to replace existing
-mechanisms.  Security can also be given to a Fuseki server outside the
-server using <a href="http://httpd.apache.org/">Apache Httpd</a> or
-<a href="http://nginx.org/">Nginx</a> as a reverse proxy then limiting the fuseki
-server to only process requests from the local machine by controlling
-ports.</p>
+<p>In its default configuration, SPARQL endpoints are open to the public but
+administrative functions are limited to <code>localhost</code>. One can access
it via
+<code>http://localhost:.../...</code>. Or the according IPv4 or IPv6 address,
for example
+<code>127.0.0.1</code> (IPv4), or <code>[::1]</code> (IPv6). Access
from an external machine is not
+considered as localhost and thus restricted.</p>
+<p>Once Shiro has been configured to perform user authentication it provides  a
+good foundation on which the <a href="../permissions/">Jena Permissions</a> layer
can be
+configured. There is an <a href="../permissions/example.html">example implementation</a>
+documented in the Jena Permissions section. The Jena Permissions layer can be
+used to restrict access to specific graphs or triples within graphs.</p>
+<p>A simple example to enable basic user/password authentication is shown in the
+default <code>shiro.ini</code> configuration. The default admin user is <code>admin</code>
and the
+password is <code>pw</code>. This can be changed directly in the INI file. Note
that this
+setup is not recommended for production for various reasons  (no TLS, passwords
+in plain text etc.), consult the <a href="https://shiro.apache.org/configuration.html#Configuration-INISections">Shiro
+INI</a>
+documentation for best practices.</p>
+<p>As mentioned above, the default setup only restricts access to the admin pages
+of Fuseki. To avoid clashes with dataset names, the namespace of the admin
+interface starts with '/$/', consult the <a href="../fuseki2/fuseki-server-protocol.html">Fuseki
HTTP Administration Protocol
+</a> documentation for more details.</p>
+<p>If access to SPARQL endpoints should be restricted, additional <a href="https://shiro.apache.org/web.html#Web-WebINIconfiguration">Shiro
+ACLs</a> are necessary.
+This is done in the <code>[urls]</code> section of the configuration. As an example,
+restricting access to the <code>../query</code> SPARQL endpoint for all datasets
on Fuseki
+could be done with this wildcard pattern:</p>
+<p><code>/**/query = authcBasic,user[admin]</code></p>
+<p>Anonymous SPARQL queries would no longer be possible in this example.</p>
+<p>Again, please consult the <a href="https://shiro.apache.org/">Apache Shiro</a>
website for
+details and more sophisticated setups. The default configuration of Fuseki is
+kept simple but is <em>not</em> recommended for setups where sensitive data is
+provided.</p>
 <p>Changing the security setup requires a server restart.</p>
 <p>Contributions of more examples are very welcome.</p>
 <h2 id="examples">Examples<a class="headerlink" href="#examples" title="Permanent
link">&para;</a></h2>



Mime
View raw message