Constraining Resource Access Using Social Relationship Semantics and WebID?


The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query, Social Relationship Semantics, and Web-accessible Linked Data to constrain access to a protected resource. Basically, you need to:

  • Set a foaf:knows relationship in your user's profile
  • Set an ACL rule that requires you to prove (via WebID? protocol and a Linked Data based profile resource) that you have a WebID? that's in a knows relation with our example user
  • Create a protected resource accessible from a location on the Web via its URL


The following packages should be installed, prior to performing this exercise:


Step 1 -- Set a foaf:knows relationship in your profile

  1. Assuming John has the following WebID:

  2. Assuming Kate is friend of John and John wants to only share a resource with 1 person -- Kate. To be able to view this resource, Kate needs to make sure John is added as friend in her profile's data with the following relation:

    <foaf:knows> <>

  3. Go to http://host:port/ods -> Sign In and enter Kate's credentials:

  4. Go to Profile->Edit:

  5. Go to "Annotations":

  6. In the presented form enter:
  7. Click "Add":

Step 2 -- Create a Web Resource that should only be accessible to people that are friends to John

  1. Go to http://host:port/ods and log in with John's credentials:

  2. Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "WebIDPlayground?":

  3. Click "Create".
  4. The new created folder should be presented in the list of folders and resources for user John:

  5. Go to "WebIDPlayground?" folder and using the "Upload" feature upload a resource, ex. an image "OpenLink.png" from above:

Step 3 -- Share the Web Resource URL with people that are friends of John

  1. For the create folder "WebIDPlayground?" from above, click its "Update Properties" link:

  2. Go to "Sharing":

  3. In "WebID? users" section click the green "plus" button with label "Add":

  4. In the presented form:
    1. Change "Access type" to "Advanced";
    2. For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"

    3. Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:

    4. Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:

    5. Modify the SPARQL ASK statement by replacing it with this one:

      prefix sioc: <> prefix rdfs: <> prefix foaf: <> ASK where {^{webid}^ rdf:type foaf:Person; foaf:knows <>}

  5. Click "Update":

Step 4 -- View the shared document

  1. As per the sharing done from above, Kate should be able to see the Web resource https://host:port/DAV/home/John/WebIDPlayground/ if she authenticates with her X 509. WebID Watermarked Certificate
  2. Navigate to https://host:port/DAV/home/John/WebIDPlayground/
  3. When prompted for authentication, select for Kate's X 509 WebID? Watermarked Certificate:

  4. Kate should successfully view the shared Web document --