VOS.VirtSPARQLSecurityWebIDSPARQLASKExample

Constraining Resource Access To Group Members

The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query and Web-accessible Linked Data en route to constraining access to a protected resource. Basically, you put two resource to use:

  • A protected resource accessible from a location on the Web via its URL .
  • A read-only resource accessible from a location on the Web that describes a Group and its Membership.

Prerequisites

The following packages should be installed, prior to performing this exercise:

1. Describe your group and it membership via a Turtle document, for instance (you can user other RDF model syntaxes, but we choose use Turtle for its simplicity)

  1. Group Description using terms from the FOAF & RDFS vocabularies :

    @prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . @prefix : <#> . <> foaf:topic :Group . <> rdfs:label "Social Semantics & ACLs Demo" . <> rdfs:comment "Members of this group provide the basis for a Resource Access Policy scoped to this group." . :Group a foaf:Group . :Group foaf:member <http://id.myopenlink.net/dataspace/person/kate#this> , <http://id.myopenlink.net/dataspace/person/john#this> .

  2. The document content above implies that <http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl#Groupgt; denotes the Group.

2. Create a Web document comprised of content that describes the group

Publish the Turtle Document to a Web accessible location, using ODS-Briefcase, as follows:

  1. Log in at http://web.ods.openlinksw.com/ods ->Sign In and enter user's credentials:



  2. Go to Briefcase and navigate for to its Public folder:



  3. Click "Create":



  4. In the presented form:
    1. Give a name to the file that will denote your Group, for ex.: group.ttl
    2. Specify the file mime type: text/turtle
    3. Paste Turtle based content from above into the editing space:



  5. Finally click "Create".
  6. Your file should be created and displayed Briefcase's folder viewer:



    • Note: if you not using the "Public" folder (which provides public access by default), please make sure you set make the document available to the public, i.e. it should have permissions:

      rw-r--r--

3. Create a Web document that should only be accessible to members of the new group

  1. Assuming you (an ODS account holder named 'William') want to only share the image resource (below) with two people: Kate and John, please perform the following steps:



  2. Go to http://host:port/ods and login with your credentials:



  3. Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "albums":



  4. Click "Create".
  5. The new created folder should be presented in the list of folders and resources for user William:



  6. Go to "albums" folder and using the "Upload" feature upload the image "OpenLink.png" from above:







4. Share the Web document URL with group members.

  1. For the uploaded image "Openlink.png" from above, navigate to the Briefcase UI DAV path containing the image, and click its "Update Properties" link:







  2. Go to "Sharing":



  3. In "WebID? users" section click the green "plus" button with label "Add":



  4. In the presented form:
    1. Change "Access type" to "Advanced";
    2. For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"



    3. Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:



    4. Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:



    5. Modify the SPARQL ASK statement by replacing it with this one:

      DEFINE get:soft "replace" PREFIX sioc: <http://rdfs.org/sioc/ns#> PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> ASK FROM <http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl> WHERE {<http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl#Group> foaf:member ?x}





  5. Click "Update":



5. View the shared document

  1. As per the sharing done from above, users Kate and John should be able to see the Web document https://host-port//DAV/home/William/albums/OpenLink.png if they authenticate with X 509. Watermarked Certificate containing the WebIDs included in the group.ttl from above.
  2. Navigate to https://host-port//DAV/home/William/albums/OpenLink.png
  3. When prompted for authentication, select for ex. John's X 509 WebID? Watermarked Certificate:



  4. John should successfully view the shared Web document -- in our example a simple image:



Related