Constraining Resource Access Using Social Relationship Semantics and WebID Introduction The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query, Social Relationship Semantics, and Web-accessible Linked Data to constrain access to a protected resource. Basically, you need to: Set a foaf:knows relationship in your user's profile Set an ACL rule that requires you to prove (via WebID protocol and a Linked Data based profile resource) that you have a WebID that's in a knows relation with our example user Create a protected resource accessible from a location on the Web via its URL Prerequisites The following packages should be installed, prior to performing this exercise: ods_framework_dav.vad ods_briefcase_dav.vad Steps Step 1 -- Set a foaf:knows relationship in your profile Assuming John has the following WebID: http://id.myopenlink.net/dataspace/person/john#this Assuming Kate is friend of John and John wants to only share a resource with 1 person -- Kate. To be able to view this resource, Kate needs to make sure John is added as friend in her profile's data with the following relation: <foaf:knows> <http://id.myopenlink.net/dataspace/person/john#this> Go to http://host:port/ods -> Sign In and enter Kate's credentials:

Go to Profile->Edit:

Go to "Annotations":

In the presented form enter: "Relation": foaf:knows ; "URI": http://id.myopenlink.net/dataspace/person/john#this ; "Label": John

Click "Add":

Step 2 -- Create a Web Resource that should only be accessible to people that are friends to John Go to http://host:port/ods and log in with John's credentials:

Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "WebIDPlayground":

Click "Create". The new created folder should be presented in the list of folders and resources for user John:

Go to "WebIDPlayground" folder and using the "Upload" feature upload a resource, ex. an image "OpenLink.png" from above:

Step 3 -- Share the Web Resource URL with people that are friends of John For the create folder "WebIDPlayground" from above, click its "Update Properties" link:

Go to "Sharing":

In "WebID users" section click the green "plus" button with label "Add":

In the presented form: Change "Access type" to "Advanced"; For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"

Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:

Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:

Modify the SPARQL ASK statement by replacing it with this one: prefix sioc: <http://rdfs.org/sioc/ns#> prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> prefix foaf: <http://xmlns.com/foaf/0.1/> ASK where {^{webid}^ rdf:type foaf:Person; foaf:knows <http://id.myopenlink.net/dataspace/person/john#this>}

Click "Update":

Step 4 -- View the shared document As per the sharing done from above, Kate should be able to see the Web resource https://host:port/DAV/home/John/WebIDPlayground/ if she authenticates with her X 509. WebID Watermarked Certificate Navigate to https://host:port/DAV/home/John/WebIDPlayground/ When prompted for authentication, select for Kate's X 509 WebID Watermarked Certificate:

Kate should successfully view the shared Web document --

Related Using Social Relationship Semantics and WebID to Drive Resource Access Control Constraining Resource Access To Group Members Confining Resource (Data) Access to a Group Entity Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power! Safeguarding your Virtuoso-hosted SPARQL Endpoint SPARQL Endpoint Protection Methods Collection Virtuoso documentation SPARQL Service Endpoint Service Endpoint Security Managing a SPARQL Web Service Endpoint SPARQL Virtuoso Tips and Tricks Collection SPARQL Endpoint DET Configuration Guide WebID Protocol & SPARQL Endpoint ACLs Tutorial SPARQL OAuth Tutorial Securing SPARQL endpoints SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint Virtuoso Authentication Server UI Manage a SPARQL-WebID based Endpoint WebID Protocol Support in OpenLink Data Spaces. Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs): ODS Briefcase WebID based ACL Guide Person Entity WebID based ACL Guide Group Entity WebID based ACL Guide Public WebID based ACL Guide ODS Feed Manager WebID based ACL Guide Person Entity Specific ACL Group Entity Specific ACL Public Specific ACL for anyone with a WebID ODS Calendar WebID based ACL Guide Person Entity Specific ACL Group Entity Specific ACL Public Specific ACL for anyone with a WebID ODS Bookmark Manager WebID based ACL Guide Person Entity Specific ACL Group Entity Specific ACL Public Specific ACL for anyone with a WebID ODS Addressbook WebID based ACL Guide Person Entity Specific ACL Group Entity Specific ACL Public Specific ACL for anyone with a WebID Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener Setting up PubSubHub in ODS PubSubHub Demo Client Example Feed subscription via PubSubHub protocol Example Setting Up PubSubHub to use WebID Protocol or IP based control lists CA Keys Import using Conductor Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate ODS Briefcase WebID Protocol Share File Guide WebID Protocol Specification Test WebID Protocol Certificate page WebID Protocol Certificate Generation page