Virtuoso Open-Source Wiki
Virtuoso Open-Source, OpenLink Data Spaces, and OpenLink Ajax Toolkit
Advanced Search
Location: / Dashboard / Main / VOSIndex / VirtSPARQLEndpointProtection / VirtSPARQLSecurityWebID / VirtSPARQLSecurityWebIDSocialRelationshipSPARQLASKExample

Constraining Resource Access Using Social Relationship Semantics and WebID

The following example demonstrates how you can leverage the combined power of a SPARQL ASK Query, Social Relationship Semantics and Web-accessible Linked Data en route to constraining access to a protected resource. Basically, you need to:

  • Set a foaf:knows relationship in your user's profile
  • Set an ACL rule that requires you to prove (via WebID protocol and a Linked Data based profile resource) that you have a WebID that's in a knows relation with our example user
  • Create a protected resource accessible from a location on the Web via its URL .


The following packages should be installed, prior to performing this exercise:

1. Set a foaf:knows relationship in your profile

  1. Assuming John has the following WebID:

  2. Assuming Kate is friend of John and John wants to only share a resource with 1 person -- Kate. To be able to view this resource, Kate needs to make sure John is added as friend in her profile's data with the following relation:

    <foaf:knows> <>

  3. Go to http://host:port/ods -> Sign In and enter Kate's credentials:

  4. Go to Profile->Edit:

  5. Go to "Annotations":

  6. In the presented form enter:
  7. Click "Add":

3. Create a Web Resource that should only be accessible to people that are friends to John

  1. Go to http://host:port/ods and log in with John's credentials:

  2. Click on the Briefcase application link and click on the "New Folder" menu item to create the sub-folder: "WebIDPlayground":

  3. Click "Create".
  4. The new created folder should be presented in the list of folders and resources for user John:

  5. Go to "WebIDPlayground" folder and using the "Upload" feature upload a resource, ex. an image "OpenLink.png" from above:

4. Share the Web Resource URL with people that are friends of John

  1. For the create folder "WebIDPlayground" from above, click its "Update Properties" link:

  2. Go to "Sharing":

  3. In "WebID users" section click the green "plus" button with label "Add":

  4. In the presented form:
    1. Change "Access type" to "Advanced";
    2. For "Criteria" click the green "plus" button and select "Certificate - SPARQL ASK"

    3. Should appear a drop-down menu list with 2 values: "equal to" and "not equal to". Select the "equal to" value:

    4. Should appear a drop-down menu list with 2 values: "yes" and "no". Leave the default presented value "yes" as selected:

    5. Modify the SPARQL ASK statement by replacing it with this one:

      prefix sioc: <> prefix rdfs: <> prefix foaf: <> ASK where {^{webid}^ rdf:type foaf:Person; foaf:knows <>}

  5. Click "Update":

5. View the shared document

  1. As per the sharing done from above, Kate should be able to see the Web resource https://host:port/DAV/home/John/WebIDPlayground/ if she authenticates with her X 509. WebID Watermarked Certificate
  2. Navigate to https://host:port/DAV/home/John/WebIDPlayground/
  3. When prompted for authentication, select for Kate's X 509 WebID Watermarked Certificate:

  4. Kate should successfully view the shared Web document --


Powered By Virtuoso