Constraining Resource Access Using Social Relationship Semantics and WebID?
- Introduction
- Prerequisites
- Steps
- Step 1 -- Set a foaf:knows relationship in your profile
- Step 2 -- Create a Web Resource that should only be accessible to people that are friends to John
- Step 3 -- Share the Web Resource URL with people that are friends of John
- Step 4 -- View the shared document
- Related
Introduction
The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query, Social Relationship Semantics, and Web-accessible Linked Data to constrain access to a protected resource. Basically, you need to:
- Set a foaf:knows relationship in your user's profile
- Set an ACL rule that requires you to prove (via WebID? protocol and a Linked Data based profile resource) that you have a WebID? that's in a knows relation with our example user
- Create a protected resource accessible from a location on the Web via its URL
Prerequisites
The following packages should be installed, prior to performing this exercise:
Steps
Step 1 -- Set a foaf:knows relationship in your profile
- Assuming John has the following WebID:
http://id.myopenlink.net/dataspace/person/john#this
- Assuming Kate is friend of John and John wants to only share a resource with 1 person -- Kate.
To be able to view this resource, Kate needs to make sure John is added as friend in her profile's data with the following relation:
<foaf:knows> <http://id.myopenlink.net/dataspace/person/john#this>
- Go to http://host:port/ods -> Sign In and enter Kate's credentials:
- Go to Profile->Edit:
- Go to "Annotations":
- In the presented form enter:
- "Relation":
foaf:knows
; - "URI":
http://id.myopenlink.net/dataspace/person/john#this
; - "Label": John
- "Relation":
- Click "Add":
Step 2 -- Create a Web Resource that should only be accessible to people that are friends to John
- Go to http://host:port/ods and log in with John's credentials:
- Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "WebIDPlayground?":
- Click "Create".
- The new created folder should be presented in the list of folders and resources for user John:
- Go to "WebIDPlayground?" folder and using the "Upload" feature upload a resource, ex.
an image "OpenLink.png" from above:
Step 3 -- Share the Web Resource URL with people that are friends of John
- For the create folder "WebIDPlayground?" from above, click its "Update Properties" link:
- Go to "Sharing":
- In "WebID? users" section click the green "plus" button with label "Add":
- In the presented form:
- Change "Access type" to "Advanced";
- For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"
- Should appear a drop-down menu list with 2 values: "equal to" and "not equal to".
Select the "equal to" value:
- Should appear a drop-down menu list with 2 values: "yes" and "no".
Leave the default presented value "yes" as selected:
- Modify the SPARQL ASK statement by replacing it with this one:
prefix sioc: <http://rdfs.org/sioc/ns#> prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> prefix foaf: <http://xmlns.com/foaf/0.1/> ASK where {^{webid}^ rdf:type foaf:Person; foaf:knows <http://id.myopenlink.net/dataspace/person/john#this>}
- Click "Update":
Step 4 -- View the shared document
- As per the sharing done from above, Kate should be able to see the Web resource
https://host:port/DAV/home/John/WebIDPlayground/
if she authenticates with her X 509. WebID Watermarked Certificate - Navigate to
https://host:port/DAV/home/John/WebIDPlayground/
- When prompted for authentication, select for Kate's X 509 WebID? Watermarked Certificate:
- Kate should successfully view the shared Web document --
Related
- Using Social Relationship Semantics and WebID to Drive Resource Access Control
- Constraining Resource Access To Group Members
- Confining Resource (Data) Access to a Group Entity
- Power of WebID + OpenID Hybrid Protocol via Internet Explorer & Windows
- Using Safari to Demonstrate WebID + OpenID Hybrid Protocol Power!
- Safeguarding your Virtuoso-hosted SPARQL Endpoint
- SPARQL Endpoint Protection Methods Collection
- Virtuoso documentation
- Virtuoso Tips and Tricks Collection
- SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint
- Virtuoso Authentication Server UI
- Manage a SPARQL-WebID based Endpoint
- WebID Protocol Support in OpenLink Data Spaces.
- Manage ODS Datadspaces Objects WebID? Access Control Lists (ACLs):
- Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates
- Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener
- Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener
- Setting up PubSubHub in ODS
- PubSubHub Demo Client Example
- Feed subscription via PubSubHub protocol Example
- Setting Up PubSubHub to use WebID Protocol or IP based control lists
- CA Keys Import using Conductor
- Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore
- Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore
- Using Virtuoso's WebID Verification Proxy Service with a WebID-bearing X.509 certificate
- Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate
- ODS Briefcase WebID Protocol Share File Guide
- WebID Protocol Specification
- Test WebID Protocol Certificate page
- WebID Protocol Certificate Generation page