%META:TOPICPARENT{name="VirtSPARQLSecurityWebID"}% ---+ Constraining Resource Access To Group Members The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query and Web-accessible Linked Data en route to constraining access to a protected resource. Basically, you put two resource to use: * A protected resource accessible from a location on the Web via its URL . * A read-only resource accessible from a location on the Web that describes a Group and its Membership. %TOC% ---+++ Prerequisites The following packages should be installed, prior to performing this exercise: * [[https://virtuoso.openlinksw.com/download/][ods_framework_dav.vad]] * [[https://virtuoso.openlinksw.com/download/][ods_briefcase_dav.vad]] ---+++ 1. Describe your group and it membership via a Turtle document, for instance (you can user other RDF model syntaxes, but we choose use Turtle for its simplicity) 1 Group Description using terms from the FOAF & RDFS vocabularies : @prefix rdfs: . @prefix foaf: . @prefix : <#> . <> foaf:topic :Group . <> rdfs:label "Social Semantics & ACLs Demo" . <> rdfs:comment "Members of this group provide the basis for a Resource Access Policy scoped to this group." . :Group a foaf:Group . :Group foaf:member , . 1 The document content above implies that <http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl#Groupgt; denotes the Group. ---+++ 2. Create a Web document comprised of content that describes the group Publish the Turtle Document to a Web accessible location, using ODS-Briefcase, as follows: 1 Log in at http://web.ods.openlinksw.com/ods ->Sign In and enter user's credentials: %BR%%BR%%BR%%BR% 1 Go to Briefcase and navigate for to its Public folder: %BR%%BR%%BR%%BR% 1 Click "Create": %BR%%BR%%BR%%BR% 1 In the presented form: 1 Give a name to the file that will denote your Group, for ex.: group.ttl 1 Specify the file mime type: text/turtle 1 Paste Turtle based content from above into the editing space: %BR%%BR%%BR%%BR% 1 Finally click "Create". 1 Your file should be created and displayed Briefcase's folder viewer: %BR%%BR%%BR%%BR% * Note: if you not using the "Public" folder (which provides public access by default), please make sure you set make the document available to the public, i.e. it should have permissions: rw-r--r-- ---+++ 3. Create a Web document that should only be accessible to members of the new group 1 Assuming you (an ODS account holder named 'William') want to only share the image resource (below) with two people: Kate and John, please perform the following steps: %BR%%BR%%BR%%BR% 1 Go to http://host:port/ods and login with your credentials: %BR%%BR%%BR%%BR% 1 Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "albums": %BR%%BR%%BR%%BR% 1 Click "Create". 1 The new created folder should be presented in the list of folders and resources for user William: %BR%%BR%%BR%%BR% 1 Go to "albums" folder and using the "Upload" feature upload the image "OpenLink.png" from above: %BR%%BR%%BR%%BR% %BR%%BR%%BR%%BR% ---+++ 4. Share the Web document URL with group members. 1 For the uploaded image "Openlink.png" from above, navigate to the Briefcase UI DAV path containing the image, and click its "Update Properties" link: %BR%%BR%%BR%%BR% %BR%%BR%%BR%%BR% 1 Go to "Sharing": %BR%%BR%%BR%%BR% 1 In "WebID users" section click the green "plus" button with label "Add": %BR%%BR%%BR%%BR% 1 In the presented form: 1 Change "Access type" to "Advanced"; 1 For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK" %BR%%BR%%BR%%BR% 1 Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value: %BR%%BR%%BR%%BR% 1 Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected: %BR%%BR%%BR%%BR% 1 Modify the SPARQL ASK statement by replacing it with this one: DEFINE get:soft "replace" PREFIX sioc: PREFIX rdfs: PREFIX foaf: ASK FROM WHERE { foaf:member ?x} %BR%%BR%%BR%%BR% 1 Click "Update": %BR%%BR%%BR%%BR% ---+++ 5. View the shared document 1 As per the sharing done from above, users Kate and John should be able to see the Web document https://host-port//DAV/home/William/albums/OpenLink.png if they authenticate with [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][X 509. Watermarked Certificate]] containing the [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][WebIDs]] included in the group.ttl from above. 1 Navigate to https://host-port//DAV/home/William/albums/OpenLink.png 1 When prompted for authentication, select for ex. John's X 509 WebID Watermarked Certificate: %BR%%BR%%BR%%BR% 1 John should successfully view the shared Web document -- in our example a simple image: %BR%%BR%%BR%%BR% ---+++Related * [[https://plus.google.com/112399767740508618350/posts/i1WnaThyy2u][Confining Resource (Data) Access to a Group Entity]] * [[http://www.youtube.com/watch?v=gzqHVUb3qrw&feature=share][Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows]] * [[http://www.youtube.com/watch?v=eXoxUo7Py4M&feature=share][Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLEndpointProtection][Safeguarding your Virtuoso-hosted SPARQL Endpoint]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpointProtection][SPARQL Endpoint Protection Methods Collection]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebIDSocialRelationshipSPARQLASKExample][Constraining Resource Access Using Social Relationship Semantics and WebID]] * [[http://docs.openlinksw.com/virtuoso/][Virtuoso documentation]] * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpoint][SPARQL Service Endpoint]] * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpointuri][Service Endpoint Security]] * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#sparqwebservicetbl][Managing a SPARQL Web Service Endpoint]] * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html][SPARQL]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLDET][SPARQL Endpoint DET Configuration Guide]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID][WebID Protocol & SPARQL Endpoint ACLs Tutorial]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL][SPARQL OAuth Tutorial]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints][Securing SPARQL endpoints]] * [[http://ods.openlinksw.com/wiki/ODS/OdsSPARQLAuth][SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtAuthServerUI][Virtuoso Authentication Server UI]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSSL][Manage a SPARQL-WebID based Endpoint]] * [[http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID][WebID Protocol Support in OpenLink Data Spaces]]. * Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs): * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebID][ODS Briefcase WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPerson][Person Entity WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDGroup][Group Entity WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPublic][Public WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACL][ODS Feed Manager WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPerson][Person Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLGroup][Group Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPublic][Public Specific ACL for anyone with a WebID]] * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACL][ODS Calendar WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPerson][Person Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLGroup][Group Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPublic][Public Specific ACL for anyone with a WebID]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACL][ODS Bookmark Manager WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPerson][Person Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLGroup][Group Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPublic][Public Specific ACL for anyone with a WebID]] * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACL][ODS Addressbook WebID based ACL Guide]] * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPerson][Person Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLGroup][Group Entity Specific ACL]] * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPublic][Public Specific ACL for anyone with a WebID]] * [[http://ods.openlinksw.com/wiki/ODS/ODSPkiSetup][Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates]] * [[http://ods.openlinksw.com/wiki/ODS/ODSSetupSSL][Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener]] * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSL][Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener]] * [[http://ods.openlinksw.com/wiki/ODS/VirtODSPubSubHub][Setting up PubSubHub in ODS]] * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHub][PubSubHub Demo Client Example]] * [[http://ods.openlinksw.com/wiki/ODS/VirtFeedPubSubHub][Feed subscription via PubSubHub protocol Example ]] * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHubACL][Setting Up PubSubHub to use WebID Protocol or IP based control lists]] * [[http://ods.openlinksw.com/wiki/ODS/OdsKeyImport][CA Keys Import using Conductor]] * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertOSKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore]] * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertBrsKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore]] * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP][Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate]] * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdpProxy][Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate]] * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDShareFile][ODS Briefcase WebID Protocol Share File Guide]] * [[http://esw.w3.org/topic/foaf+ssl][WebID Protocol Specification]] * [[https://foaf.me/simpleLogin.php][Test WebID Protocol Certificate page]] * [[http://test.foafssl.org/cert/][WebID Protocol Certificate Generation page]]