%META:TOPICPARENT{name="VirtSPARQLSecurityWebID"}%


---+ Constraining Resource Access Using Social Relationship Semantics and WebID

%TOC%

---++ Introduction

The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query, Social Relationship Semantics, and Web-accessible Linked Data to constrain access to a protected resource. Basically, you need to:

   * Set a foaf:knows relationship in your user's profile
   * Set an ACL rule that requires you to prove (via WebID protocol and a Linked Data based profile resource) that you have a WebID that's in a knows relation with our example user
   * Create a protected resource accessible from a location on the Web via its URL 

---++  Prerequisites

The following packages should be installed, prior to performing this exercise:

   * [[https://virtuoso.openlinksw.com/download/][ods_framework_dav.vad]]
   * [[https://virtuoso.openlinksw.com/download/][ods_briefcase_dav.vad]]


---++ Steps

---+++ Step 1 -- Set a foaf:knows relationship in your profile
 

   1 Assuming John has the following [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][WebID]]: 
<verbatim>
http://id.myopenlink.net/dataspace/person/john#this
</verbatim>
   1 Assuming Kate is friend of John and John wants to only share a resource with 1 person -- Kate. To be able to view this resource, Kate needs to make sure John is added as friend in her profile's data with the following relation:
<verbatim>
<foaf:knows> <http://id.myopenlink.net/dataspace/person/john#this>
</verbatim>
   1 Go to http://host:port/ods -> Sign In and enter Kate's credentials:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex1.png" target="_blank"><img src="%ATTACHURLPATH%/arskex1.png" width="600px" /></a>%BR%%BR%
   1 Go to Profile->Edit:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex2.png" target="_blank"><img src="%ATTACHURLPATH%/arskex2.png" width="600px" /></a>%BR%%BR%
   1 Go to "Annotations":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex3.png" target="_blank"><img src="%ATTACHURLPATH%/arskex3.png" width="600px" /></a>%BR%%BR%
   1 In the presented form enter:
      * "Relation": <code>foaf:knows</code> ;
      * "URI": <code> http://id.myopenlink.net/dataspace/person/john#this </code> ; 
      * "Label": John
%BR%%BR%<a href="%ATTACHURLPATH%/arskex4.png" target="_blank"><img src="%ATTACHURLPATH%/arskex4.png" width="600px" /></a>%BR%%BR%
   1 Click "Add":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex5.png" target="_blank"><img src="%ATTACHURLPATH%/arskex5.png" width="600px" /></a>%BR%%BR%

 
---+++ Step 2 -- Create a Web Resource that should only be accessible to people that are friends to John

   1 Go to http://host:port/ods and log in with John's credentials:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex6.png" target="_blank"><img src="%ATTACHURLPATH%/arskex6.png" width="600px" /></a>%BR%%BR%
   1 Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "WebIDPlayground":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex7.png" target="_blank"><img src="%ATTACHURLPATH%/arskex7.png" width="600px" /></a>%BR%%BR%
   1 Click "Create". 
   1 The new created folder should be presented in the list of folders and resources for user John:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex8.png" target="_blank"><img src="%ATTACHURLPATH%/arskex8.png" width="600px" /></a>%BR%%BR%
   1 Go to "WebIDPlayground" folder and using the "Upload" feature upload a resource, ex. an image "OpenLink.png" from above:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex9.png" target="_blank"><img src="%ATTACHURLPATH%/arskex9.png" width="600px" /></a>%BR%%BR%
%BR%%BR%<a href="%ATTACHURLPATH%/arskex10.png" target="_blank"><img src="%ATTACHURLPATH%/arskex10.png" width="600px" /></a>%BR%%BR%



---+++ Step 3 -- Share the Web Resource URL with people that are friends of John

   1 For the create folder "WebIDPlayground" from above, click its "Update Properties" link:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex11.png" target="_blank"><img src="%ATTACHURLPATH%/arskex11.png" width="600px" /></a>%BR%%BR%
%BR%%BR%<a href="%ATTACHURLPATH%/arskex12.png" target="_blank"><img src="%ATTACHURLPATH%/arskex12.png" width="600px" /></a>%BR%%BR%
   1 Go to "Sharing":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex13.png" target="_blank"><img src="%ATTACHURLPATH%/arskex13.png" width="600px" /></a>%BR%%BR%
   1 In "WebID users" section click the green "plus" button with label "Add":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex14.png" target="_blank"><img src="%ATTACHURLPATH%/arskex14.png" width="600px" /></a>%BR%%BR%
   1 In the presented form:
      1 Change "Access type" to "Advanced"; 
      1 For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"
%BR%%BR%<a href="%ATTACHURLPATH%/arskex15.png" target="_blank"><img src="%ATTACHURLPATH%/arskex15.png" width="600px" /></a>%BR%%BR%
      1 Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex16.png" target="_blank"><img src="%ATTACHURLPATH%/arskex16.png" width="600px" /></a>%BR%%BR%
      1 Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex17.png" target="_blank"><img src="%ATTACHURLPATH%/arskex17.png" width="600px" /></a>%BR%%BR%
      1 Modify the SPARQL ASK statement by replacing it with this one:
<verbatim>
prefix sioc: <http://rdfs.org/sioc/ns#>
prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#>
prefix foaf: <http://xmlns.com/foaf/0.1/>
ASK where {^{webid}^ rdf:type foaf:Person;
                foaf:knows <http://id.myopenlink.net/dataspace/person/john#this>}
</verbatim>
%BR%%BR%<a href="%ATTACHURLPATH%/arskex18.png" target="_blank"><img src="%ATTACHURLPATH%/arskex18.png" width="600px" /></a>%BR%%BR%
   1 Click "Update":
%BR%%BR%<a href="%ATTACHURLPATH%/arskex19.png" target="_blank"><img src="%ATTACHURLPATH%/arskex19.png" width="600px" /></a>%BR%%BR%


---+++ Step 4 -- View the shared document

   1 As per the sharing done from above, Kate should be able to see the Web resource <code> https://host:port/DAV/home/John/WebIDPlayground/ </code> if she authenticates with her [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateX509Certificate][X 509. WebID Watermarked Certificate]]
   1 Navigate to <code> https://host:port/DAV/home/John/WebIDPlayground/ </code> 
   1 When prompted for authentication, select for Kate's X 509 WebID Watermarked Certificate:
%BR%%BR%<a href="%ATTACHURLPATH%/arskex20.png" target="_blank"><img src="%ATTACHURLPATH%/arskex20.png" width="600px" /></a>%BR%%BR%
   1 Kate should successfully view the shared Web document -- 
%BR%%BR%<a href="%ATTACHURLPATH%/arskex21.png" target="_blank"><img src="%ATTACHURLPATH%/arskex21.png" width="600px" /></a>%BR%%BR%
   

---++ Related 

   * [[https://plus.google.com/112399767740508618350/posts/7A3Kgs4HMHk][Using Social Relationship Semantics and WebID to Drive Resource Access Control]]
   * [[VirtSPARQLSecurityWebIDSPARQLASKExample][Constraining Resource Access To Group Members]]
   * [[https://plus.google.com/112399767740508618350/posts/i1WnaThyy2u][Confining Resource (Data) Access to a Group Entity]]
   * [[http://www.youtube.com/watch?v=gzqHVUb3qrw&feature=share][Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows]]
   * [[http://www.youtube.com/watch?v=eXoxUo7Py4M&feature=share][Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLEndpointProtection][Safeguarding your Virtuoso-hosted SPARQL Endpoint]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpointProtection][SPARQL Endpoint Protection Methods Collection]]
   * [[http://docs.openlinksw.com/virtuoso/][Virtuoso documentation]]
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpoint][SPARQL Service Endpoint]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#rdfsupportedprotocolendpointuri][Service Endpoint Security]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html#sparqwebservicetbl][Managing a SPARQL Web Service Endpoint]] 
      * [[http://docs.openlinksw.com/virtuoso/rdfsparql.html][SPARQL]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuide][Virtuoso Tips and Tricks Collection]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLDET][SPARQL Endpoint DET Configuration Guide]]       
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID][WebID Protocol & SPARQL Endpoint ACLs Tutorial]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL][SPARQL OAuth Tutorial]]
      * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints][Securing SPARQL endpoints]]
   * [[http://ods.openlinksw.com/wiki/ODS/OdsSPARQLAuth][SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtAuthServerUI][Virtuoso Authentication Server UI]]
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSSL][Manage a SPARQL-WebID based Endpoint]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtODSSecurityWebID][WebID Protocol Support in OpenLink Data Spaces]].
   * Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs):
      * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebID][ODS Briefcase WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPerson][Person Entity WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDGroup][Group Entity WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDPublic][Public WebID based ACL Guide]]      
      * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACL][ODS Feed Manager WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSFeedManagerWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACL][ODS Calendar WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSCalendarWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACL][ODS Bookmark Manager WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSBookmarksWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
      * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACL][ODS Addressbook  WebID based ACL Guide]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPerson][Person Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLGroup][Group Entity Specific ACL]]
         * [[http://ods.openlinksw.com/wiki/ODS/ODSAddressBookWebIDACLPublic][Public Specific ACL for anyone with a WebID]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSPkiSetup][Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSSetupSSL][Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener]]        
   * [[http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSetupSSL][Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener]]  
   * [[http://ods.openlinksw.com/wiki/ODS/VirtODSPubSubHub][Setting up PubSubHub in ODS]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHub][PubSubHub Demo Client Example]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtFeedPubSubHub][Feed subscription via PubSubHub protocol Example ]]
   * [[http://ods.openlinksw.com/wiki/ODS/VirtPubSubHubACL][Setting Up PubSubHub to use WebID Protocol or IP based control lists]]
   * [[http://ods.openlinksw.com/wiki/ODS/OdsKeyImport][CA Keys Import using Conductor]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertOSKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSGenerateWebIDX509CertBrsKeystore][Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdP][Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSWebIDIdpProxy][Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate]]
   * [[http://ods.openlinksw.com/wiki/ODS/ODSBriefcaseWebIDShareFile][ODS Briefcase WebID Protocol Share File Guide]]
   * [[http://esw.w3.org/topic/foaf+ssl][WebID Protocol Specification]]
   * [[https://foaf.me/simpleLogin.php][Test WebID Protocol Certificate page]]
   * [[http://test.foafssl.org/cert/][WebID Protocol Certificate Generation page]]