You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by cl...@apache.org on 2013/09/10 22:10:36 UTC
svn commit: r1521622 -
/jena/site/trunk/content/documentation/security/index.mdtext
Author: claude
Date: Tue Sep 10 20:10:36 2013
New Revision: 1521622
URL: http://svn.apache.org/r1521622
Log:
Fixed some formatting issues
Modified:
jena/site/trunk/content/documentation/security/index.mdtext
Modified: jena/site/trunk/content/documentation/security/index.mdtext
URL: http://svn.apache.org/viewvc/jena/site/trunk/content/documentation/security/index.mdtext?rev=1521622&r1=1521621&r2=1521622&view=diff
==============================================================================
--- jena/site/trunk/content/documentation/security/index.mdtext (original)
+++ jena/site/trunk/content/documentation/security/index.mdtext Tue Sep 10 20:10:36 2013
@@ -67,17 +67,23 @@ this is done correctly. The required pe
Conceptually the framework implements 2 levels of security: graph and triple.
The graph restrictions are applied before triple restrictions. So the system will call
+
evaluate( Action action, SecNode graphIRI );
+
to ask can the current user "Read" (Action) graph X (graphIRI) as `evaluate( Action.READ, X )`.
if the answer is yes then the system will call
+
evaluate( Action action, SecNode graphIRI, SecTriple triple );
+
to ask if the current user can "Read" (Action) from graph X (graphIRI) all triples (SecTriple) as
`evaluate( Action.READ, X, SecTriple.ALL )`.
if the answer is yes then the system will execute the call, if the answer is no then for each
potential triple the user might read the system will call
+
evaluate( Action action, SecNode graphIRI, SecTriple triple );
+
to ask if the current user can "Read" (Action) from graph X (graphIRI) the triple in question
(<triple>) as `evaluate( Action.READ, X, <triple> )`.
@@ -94,9 +100,13 @@ Jena-security provides three special nod
This is similar to the Jena `Node.ANY` node. It matches any node. In general the system will ask if
the user can access a graph by executing
+
evaluate( Action, GraphIRI )
+
if the user can access the graph then the system will execute
+
evaluate( Action, GraphIRI, <SecNode.ANY, SecNode.ANY, SecNode.ANY )
+
to determine if the user can perform the action on all triples. If not then the system will attempt to
determine if the user perform the action on each specific triple. In some cases the system can determine that
the range of nodes involved in the action a sub set of all nodes and will call `evaluate` with some constant
@@ -156,11 +166,15 @@ Insertions pose a different set of probl
inserted. For example when concatenating one RDFList with another (`rdfList.concatenate( rdfList2 )`) the system
will create a series of anonymous nodes. To check for these the `SecNode.FUTURE` is used. Initially the system will
call
+
evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, SecNode.ANY )
+
to ascertain if the user can create a triple in graph X that has an anonymous node (SecNode.FUTURE) as the subject,
RDF.first as the predicate and any node as the object. If this is not allowed then for every node in `rdfList2`
the system will call
+
evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, node )
+
where `node` is the node from `rdfList2` to be added.