Securing SPARQL endpoints

SPARQL endpoints are Web services, and they are capable of more than providing Read-Only access to a back-end graph DBMS.

Though commonly general-purpose, SPARQL endpoints can also be purpose-specific, and their privileges may therefore be limited to specific Create, Read, Update, and/or Delete operations.

The privileges provided by a given Virtuoso SPARQL endpoint may be based simply upon the endpoint's URL, or upon sophisticated rules which associate specific user identities with specific database roles and privileges.

Virtuoso offers three methods for securing SPARQL endpoints:

• Digest Authentication via SQL Accounts
• OAuth Protocol based Authentication
• WebID Protocol based authentication

By default, Virtuoso has several purpose-specific SPARQL endpoints, associated with these authentication methods along the following lines --

Endpoint	Endpoint URL Convention	More information...	Notes
Basic default	http://<cname>[:<port>]/sparql	Virtuoso SPARQL Web Service Endpoint documentation.
SPARQL Digest (Digest Authentication via SQL Accounts)	http://<cname>[:<port>]/sparql-auth	Demonstration of setting user privileges to interact with OAuth Protected SPARQL Endpoint
SPARQL OAuth	http://<cname>[:<port>]/sparql-oauth	Demonstration of the OAuth keys and Protected SPARQL Endpoint features of the Virtuoso OAuth UI
SPARQL WebID?	https://<cname>[:<port>]/sparql and https://<cname>[:<port>]/sparql-webid	Demonstration of setting WebID Protocol ACLs using the Virtuoso Authentication Server UI
SPARQL Graph Store Protocol	http://<cname>[:<port>]/sparql-graph-crud	Virtuoso SPARQL Authentication documentation.	Primarily intended to serve requests from applications, rather than human interactions via browser.
Digest Authentication	http://<cname>[:<port>]/sparql-graph-crud-auth	Virtuoso SPARQL Authentication documentation.	Primarily intended to serve requests from applications, rather than human interactions via browser.

We also have step-by-step guides to walk you through the process of setting up your own SPARQL endpoint(s) for --

• read-only access?
• read-write access using digest authentication
• read-write access using OAuth
• read-write access using SSL via WebID

Related

• Safeguarding your Virtuoso-hosted SPARQL Endpoint
• SPARQL Endpoint Protection Methods Collection
• Virtuoso documentation
  • SPARQL Service Endpoint
  • Service Endpoint Security
  • Managing a SPARQL Web Service Endpoint
  • SPARQL
• Virtuoso Tips and Tricks Collection
  • SPARQL Endpoint DET Configuration Guide
  • WebID Protocol & SPARQL Endpoint ACLs Tutorial
  • SPARQL OAuth Tutorial
• SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint
• Virtuoso Authentication Server UI
• Manage a SPARQL-WebID based Endpoint
• Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener
• Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener
• WebID Protocol Support in OpenLink Data Spaces.
• Manage ODS Datadspaces Objects WebID? Access Control Lists (ACLs):
  • ODS Briefcase WebID based ACL Guide
    • Person Entity WebID based ACL Guide
    • Group Entity WebID based ACL Guide
    • Public WebID based ACL Guide
  • ODS Feed Manager WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Calendar WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Bookmark Manager WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Addressbook WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
• Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates.
• Setting up PubSubHub in ODS
• PubSubHubBub Demo Client Example
• Feed subscription via PubSubHub protocol Example
• Setting Up PubSubHub to use WebID Protocol or IP based control lists
• CA Keys Import using Conductor
• Generate an X.509 Certificate hosted WebID Guide
• Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore
• Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore
• Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate
• Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate
• ODS Briefcase WebID Protocol Share File Guide
• WebID Protocol Specification
• Test WebID Protocol Certificate page
• WebID Protocol Certificate Generation page

CategoryVirtuoso CategoryHowTo CategorySPARQL CategoryOAuth CategoryFOAFSSL CategoryDocumentation CategoryTutorial