%META:TOPICPARENT{name="VirtSPARQLSecurityWebID"}%

---+ Constraining Resource Access To Group Members 

The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query and Web-accessible Linked Data en route to constraining access to a protected resource. Basically, you put two resource to use: 

   * A protected resource accessible from a location on the Web via its URL .
   * A read-only resource accessible from a location on the Web that describes a Group and its Membership.

%TOC%

---+++ Prerequisites

The following packages should be installed, prior to performing this exercise:

   * [[https://virtuoso.openlinksw.com/download/][ods_framework_dav.vad]]
   * [[https://virtuoso.openlinksw.com/download/][ods_briefcase_dav.vad]]


---+++ <nowiki> 1.</nowiki> Describe your group and it membership via a Turtle document, for instance (you can user other RDF model syntaxes, but we choose use Turtle for its simplicity) 
 
   1 Group Description using terms from the FOAF & RDFS vocabularies :
<verbatim>
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . 
@prefix foaf: <http://xmlns.com/foaf/0.1/> . 
@prefix : <#> . 

<> foaf:topic :Group . 
<> rdfs:label "Social Semantics & ACLs Demo" . 
<> rdfs:comment "Members of this group provide the basis for a Resource Access Policy scoped to this group." . 
:Group a foaf:Group . 
:Group foaf:member <http://id.myopenlink.net/dataspace/person/kate#this> , 
                   <http://id.myopenlink.net/dataspace/person/john#this> . 

</verbatim>
   1 The document content above implies that &lt;http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl#Groupgt; denotes the Group.



---+++ <nowiki>2.</nowiki> Create a Web document comprised of content that describes the group 

Publish the Turtle Document to a Web accessible location, using ODS-Briefcase, as follows:

   1 Log in at http://web.ods.openlinksw.com/ods ->Sign In and enter user's credentials:
%BR%%BR%<a href="%ATTACHURLPATH%/askex1.png" target="_blank"><img src="%ATTACHURLPATH%/askex1.png" width="600px" /></a>%BR%%BR%
   1 Go to Briefcase and navigate for to its Public folder:
%BR%%BR%<a href="%ATTACHURLPATH%/askex2.png" target="_blank"><img src="%ATTACHURLPATH%/askex2.png" width="600px" /></a>%BR%%BR%
   1 Click "Create":
%BR%%BR%<a href="%ATTACHURLPATH%/askex3.png" target="_blank"><img src="%ATTACHURLPATH%/askex3.png" width="600px" /></a>%BR%%BR%
   1 In the presented form:
      1 Give a name to the file that will denote your Group, for ex.: group.ttl
      1 Specify the file mime type: text/turtle 
      1 Paste Turtle based content from above into the editing space:
%BR%%BR%<a href="%ATTACHURLPATH%/askex4.png" target="_blank"><img src="%ATTACHURLPATH%/askex4.png" width="600px" /></a>%BR%%BR%
   1 Finally click "Create".
   1 Your file should be created and displayed Briefcase's folder viewer:
%BR%%BR%<a href="%ATTACHURLPATH%/askex5.png" target="_blank"><img src="%ATTACHURLPATH%/askex5.png" width="600px" /></a>%BR%%BR%
      * Note: if you not using the "Public" folder (which provides public access by default), please make sure you set make the document available to the public, i.e. it should have permissions:
<verbatim>
rw-r--r--
</verbatim>


---+++ <nowiki>3.</nowiki> Create a Web document that should only be accessible to members of the new group 

   1 Assuming you (an ODS account holder named 'William') want to only share the image resource (below) with two people: Kate and John, please perform the following steps:
%BR%%BR%<a href="%ATTACHURLPATH%/askex6.png" target="_blank"><img src="%ATTACHURLPATH%/askex6.png" width="600px" /></a>%BR%%BR%
   1 Go to http://host:port/ods and login with your credentials:
%BR%%BR%<a href="%ATTACHURLPATH%/askex7.png" target="_blank"><img src="%ATTACHURLPATH%/askex7.png" width="600px" /></a>%BR%%BR%
   1 Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "albums":
%BR%%BR%<a href="%ATTACHURLPATH%/askex8.png" target="_blank"><img src="%ATTACHURLPATH%/askex8.png" width="600px" /></a>%BR%%BR%
   1 Click "Create". 
   1 The new created folder should be presented in the list of folders and resources for user William:
%BR%%BR%<a href="%ATTACHURLPATH%/askex9.png" target="_blank"><img src="%ATTACHURLPATH%/askex9.png" width="600px" /></a>%BR%%BR%
   1 Go to "albums" folder and using the "Upload" feature upload the image "OpenLink.png" from above:
%BR%%BR%<a href="%ATTACHURLPATH%/askex10.png" target="_blank"><img src="%ATTACHURLPATH%/askex10.png" width="600px" /></a>%BR%%BR%
%BR%%BR%<a href="%ATTACHURLPATH%/askex11.png" target="_blank"><img src="%ATTACHURLPATH%/askex11.png" width="600px" /></a>%BR%%BR%



---+++ <nowiki>4.</nowiki> Share the Web document URL with group members. 

   1 For the uploaded image "Openlink.png" from above, navigate to the Briefcase UI DAV path containing the image, and click its "Update Properties" link:
%BR%%BR%<a href="%ATTACHURLPATH%/askex12.png" target="_blank"><img src="%ATTACHURLPATH%/askex12.png" width="600px" /></a>%BR%%BR%
%BR%%BR%<a href="%ATTACHURLPATH%/askex13.png" target="_blank"><img src="%ATTACHURLPATH%/askex13.png" width="600px" /></a>%BR%%BR%
   1 Go to "Sharing":
%BR%%BR%<a href="%ATTACHURLPATH%/askex14.png" target="_blank"><img src="%ATTACHURLPATH%/askex14.png" width="600px" /></a>%BR%%BR%
   1 In "WebID users" section click the green "plus" button with label "Add":
%BR%%BR%<a href="%ATTACHURLPATH%/askex15.png" target="_blank"><img src="%ATTACHURLPATH%/askex15.png" width="600px" /></a>%BR%%BR%
   1 In the presented form:
      1 Change "Access type" to "Advanced"; 
      1 For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"
%BR%%BR%<a href="%ATTACHURLPATH%/askex16.png" target="_blank"><img src="%ATTACHURLPATH%/askex16.png" width="600px" /></a>%BR%%BR%
      1 Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:
%BR%%BR%<a href="%ATTACHURLPATH%/askex17.png" target="_blank"><img src="%ATTACHURLPATH%/askex17.png" width="600px" /></a>%BR%%BR%
      1 Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:
%BR%%BR%<a href="%ATTACHURLPATH%/askex18.png" target="_blank"><img src="%ATTACHURLPATH%/askex18.png" width="600px" /></a>%BR%%BR%
      1 Modify the SPARQL ASK statement by replacing it with this one:
<verbatim>
DEFINE get:soft "replace"
PREFIX sioc: <http://rdfs.org/sioc/ns#>
PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
ASK FROM <http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl>
WHERE {<http://web.ods.openlinksw.com/DAV/home/demo/Public/group.ttl#Group>
                       foaf:member ?x}
</verbatim>
%BR%%BR%<a href="%ATTACHURLPATH%/askex19.png" target="_blank"><img src="%ATTACHURLPATH%/askex19.png" width="600px" /></a>%BR%%BR%
   1 Click "Update":
%BR%%BR%<a href="%ATTACHURLPATH%/askex20.png" target="_blank"><img src="%ATTACHURLPATH%/askex20.png" width="600px" /></a>%BR%%BR%


---+++ <nowiki>5.</nowiki> View the shared document

   1 As per the sharing done from above, users Kate and John should be able to see the Web document <code> https://host-port//DAV/home/William/albums/OpenLink.png </code> if they authenticate with [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][X 509. Watermarked Certificate]] containing the [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][WebIDs]] included in the group.ttl from above.
   1 Navigate to <code> https://host-port//DAV/home/William/albums/OpenLink.png </code> 
   1 When prompted for authentication, select for ex. John's X 509 WebID Watermarked Certificate:
%BR%%BR%<a href="%ATTACHURLPATH%/askex21.png" target="_blank"><img src="%ATTACHURLPATH%/askex21.png" width="600px" /></a>%BR%%BR%
   1 John should successfully view the shared Web document -- in our example a simple image:
%BR%%BR%<a href="%ATTACHURLPATH%/askex22.png" target="_blank"><img src="%ATTACHURLPATH%/askex22.png" width="600px" /></a>%BR%%BR%
   

---+++Related 

   * [[https://plus.google.com/112399767740508618350/posts/i1WnaThyy2u][Confining Resource (Data) Access to a Group Entity]]
   * [[http://www.youtube.com/watch?v=gzqHVUb3qrw&feature=share][Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows]]
   * [[http://www.youtube.com/watch?v=eXoxUo7Py4M&feature=share][Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLEndpointProtection][Safeguarding your Virtuoso-hosted SPARQL Endpoint]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpointProtection][SPARQL Endpoint Protection Methods Collection]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebIDSocialRelationshipSPARQLASKExample][Constraining Resource Access Using Social Relationship Semantics and WebID]]
   * [[http://docs.openlinksw.com/virtuoso/][Virtuoso documentation]]
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpoint][SPARQL Service Endpoint]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpointuri][Service Endpoint Security]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#sparqwebservicetbl][Managing a SPARQL Web Service Endpoint]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html][SPARQL]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLDET][SPARQL Endpoint DET Configuration Guide]]       
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID][WebID Protocol & SPARQL Endpoint ACLs Tutorial]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL][SPARQL OAuth Tutorial]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints][Securing SPARQL endpoints]]
   * [[http://ods.openlinksw.com/wiki/ODS/OdsSPARQLAuth][SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtAuthServerUI][Virtuoso Authentication Server UI]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSSL][Manage a SPARQL-WebID based Endpoint]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID][WebID Protocol Support in OpenLink Data Spaces]].
   * Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs):
      * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebID][ODS Briefcase WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPerson][Person Entity WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDGroup][Group Entity WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPublic][Public WebID based ACL Guide]]      
      * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACL][ODS Feed Manager WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACL][ODS Calendar WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACL][ODS Bookmark Manager WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACL][ODS Addressbook  WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSPkiSetup][Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSSetupSSL][Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener]]        
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSL][Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener]]  
   * [[http://ods.openlinksw.com/wiki/ODS/VirtODSPubSubHub][Setting up PubSubHub in ODS]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHub][PubSubHub Demo Client Example]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtFeedPubSubHub][Feed subscription via PubSubHub protocol Example ]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHubACL][Setting Up PubSubHub to use WebID Protocol or IP based control lists]]
   * [[http://ods.openlinksw.com/wiki/ODS/OdsKeyImport][CA Keys Import using Conductor]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertOSKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertBrsKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP][Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdpProxy][Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDShareFile][ODS Briefcase WebID Protocol Share File Guide]]
   * [[http://esw.w3.org/topic/foaf+ssl][WebID Protocol Specification]]
   * [[https://foaf.me/simpleLogin.php][Test WebID Protocol Certificate page]]
   * [[http://test.foafssl.org/cert/][WebID Protocol Certificate Generation page]]