You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by bu...@apache.org on 2013/09/10 22:10:45 UTC
svn commit: r877957 - in /websites/staging/jena/trunk/content: ./
documentation/security/index.html
Author: buildbot
Date: Tue Sep 10 20:10:44 2013
New Revision: 877957
Log:
Staging update by buildbot for jena
Modified:
websites/staging/jena/trunk/content/ (props changed)
websites/staging/jena/trunk/content/documentation/security/index.html
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Sep 10 20:10:44 2013
@@ -1 +1 @@
-1521598
+1521622
Modified: websites/staging/jena/trunk/content/documentation/security/index.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/security/index.html (original)
+++ websites/staging/jena/trunk/content/documentation/security/index.html Tue Sep 10 20:10:44 2013
@@ -177,17 +177,26 @@ to the Evaluator before allowing the cal
this is done correctly. The required permissions are specified in the javadoc for object classes
(e.g. SecuredGraph, SecuredModel).</p>
<p>Conceptually the framework implements 2 levels of security: graph and triple.</p>
-<p>The graph restrictions are applied before triple restrictions. So the system will call
- evaluate( Action action, SecNode graphIRI );
-to ask can the current user "Read" (Action) graph X (graphIRI) as <code>evaluate( Action.READ, X )</code>.</p>
-<p>if the answer is yes then the system will call
- evaluate( Action action, SecNode graphIRI, SecTriple triple );
-to ask if the current user can "Read" (Action) from graph X (graphIRI) all triples (SecTriple) as
+<p>The graph restrictions are applied before triple restrictions. So the system will call </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">SecNode</span> <span class="n">graphIRI</span> <span class="p">);</span>
+</pre></div>
+
+
+<p>to ask can the current user "Read" (Action) graph X (graphIRI) as <code>evaluate( Action.READ, X )</code>.</p>
+<p>if the answer is yes then the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">SecNode</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">SecTriple</span> <span class="n">triple</span> <span class="p">);</span>
+</pre></div>
+
+
+<p>to ask if the current user can "Read" (Action) from graph X (graphIRI) all triples (SecTriple) as
<code>evaluate( Action.READ, X, SecTriple.ALL )</code>.</p>
<p>if the answer is yes then the system will execute the call, if the answer is no then for each
-potential triple the user might read the system will call
- evaluate( Action action, SecNode graphIRI, SecTriple triple );
-to ask if the current user can "Read" (Action) from graph X (graphIRI) the triple in question
+potential triple the user might read the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">SecNode</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">SecTriple</span> <span class="n">triple</span> <span class="p">);</span>
+</pre></div>
+
+
+<p>to ask if the current user can "Read" (Action) from graph X (graphIRI) the triple in question
(<triple>) as <code>evaluate( Action.READ, X, <triple> )</code>.</p>
<p>Jena-security performs similar checks for all creates, reads, updates and deletes. (CRUD). It also does this
for all classes that can be returned from the secured classes. For example an RDFList returned
@@ -197,11 +206,17 @@ list.</p>
<p>Jena-security provides three special nodes to facilitate evaluation of security policy constraints.</p>
<h4 id="secnodeany">SecNode.ANY</h4>
<p>This is similar to the Jena <code>Node.ANY</code> node. It matches any node. In general the system will ask if
-the user can access a graph by executing
- evaluate( Action, GraphIRI )
-if the user can access the graph then the system will execute
- evaluate( Action, GraphIRI, <SecNode.ANY, SecNode.ANY, SecNode.ANY )
-to determine if the user can perform the action on all triples. If not then the system will attempt to
+the user can access a graph by executing </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span><span class="p">,</span> <span class="n">GraphIRI</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>if the user can access the graph then the system will execute</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span><span class="p">,</span> <span class="n">GraphIRI</span><span class="p">,</span> <span class="o"><</span><span class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span><span class="p">,</span> <span class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span><span class="p">,</span> <span class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>to determine if the user can perform the action on all triples. If not then the system will attempt to
determine if the user perform the action on each specific triple. In some cases the system can determine that
the range of nodes involved in the action a sub set of all nodes and will call <code>evaluate</code> with some constant
nodes.</p>
@@ -267,13 +282,19 @@ that have subject X and predicate Y.</p>
<p>Insertions pose a different set of problems in that in some cases the system does not know what value will be
inserted. For example when concatenating one RDFList with another (<code>rdfList.concatenate( rdfList2 )</code>) the system
will create a series of anonymous nodes. To check for these the <code>SecNode.FUTURE</code> is used. Initially the system will
-call
- evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, SecNode.ANY )
-to ascertain if the user can create a triple in graph X that has an anonymous node (SecNode.FUTURE) as the subject,
+call </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span><span class="p">.</span><span class="n">CREATE</span><span class="p">,</span> <span class="n">X</span><span class="p">,</span> <span class="o"><</span><span class="n">SecNode</span><span class="p">.</span><span class="n">FUTURE</span><span class="p">,</span> <span class="n">RDF</span><span class="p">.</span><span class="n">first</span><span class="p">,</span> <span class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>to ascertain if the user can create a triple in graph X that has an anonymous node (SecNode.FUTURE) as the subject,
RDF.first as the predicate and any node as the object. If this is not allowed then for every node in <code>rdfList2</code>
-the system will call
- evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, node )
-where <code>node</code> is the node from <code>rdfList2</code> to be added.</p>
+the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span class="p">(</span> <span class="n">Action</span><span class="p">.</span><span class="n">CREATE</span><span class="p">,</span> <span class="n">X</span><span class="p">,</span> <span class="o"><</span><span class="n">SecNode</span><span class="p">.</span><span class="n">FUTURE</span><span class="p">,</span> <span class="n">RDF</span><span class="p">.</span><span class="n">first</span><span class="p">,</span> <span class="n">node</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>where <code>node</code> is the node from <code>rdfList2</code> to be added.</p>
</div>
</div>