You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jena.apache.org by Andreas Plank <an...@gmail.com> on 2020/03/31 10:19:53 UTC

How to prevent data set action ��remove�� for read only sparql data (FUSEKI 3.14.0)

Hej-hej,

(I’m new, please forgive me if the system posted twice.)

How is it possible to get the Fuseki Web app (really) read only for data sets where also the tab manage => button “remove” does not appear?

I’have started https://issues.apache.org/jira/projects/JENA/issues/JENA-1874 but I was asked to ask here and until now I have no solution yet for:
* making a data set complete read only
* let the Fuseki Interface not work on (remove, delete, update etc.)

So far 
* I can manage to prevent update URL (via shiro.ini)
* I can manage to prevent upload URL (via shiro.ini)
* but I can not manage to prevent the Request Method: DELETE

It is not clear to me how to apply in the shiro.ini the filter name “rest”, which—as far as I understand it—is available by default and comes from org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter, but I can not figure out how to prevent Request Method: DELETE

Thank you for your help, kind regards
Andreas

Re: How to prevent data set action ��remove�� for read only sparql data (FUSEKI 3.14.0)

Posted by Andreas Plank <an...@gmail.com>.


On 2020/03/31 10:19:53, Andreas Plank <an...@gmail.com> wrote: 
> So far 
> * I can manage to prevent update URL (via shiro.ini)
> * I can manage to prevent upload URL (via shiro.ini)
> * but I can not manage to prevent the Request Method: DELETE

I still don’t comprehend how to prevent the Request Method: DELETE. 

The only work around so far (in the shiro.ini) I tried out is to disable the manage.html url for anon. The following tries to let anonymous users read and play around with queries but requests a log in on (update, upload, manage.html)

#-- START shiro.ini attempt for anonymous: read only -------------
[main]
# Development
ssl.enabled = false

plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
# localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
iniRealm.credentialsMatcher = $plainMatcher
rest = org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter

[users]
# Implicitly adds "iniRealm =  org.apache.shiro.realm.text.IniRealm"
admin  = secret, administrator
wwwuser = publicpw

[roles]
administrator=*
wwwuser=rest:read # ?correct or how to let this user only able to read and nothing else ?

[urls]
## Control functions open to anyone
/$/server  = anon
/$/status  = anon
/$/ping    = anon
/$/stats   = anon
/$/stats/* = anon
/*/query/**  = anon
/*/sparql/** = anon
/*/get/**    = anon

/$/** = authcBasic,roles[administrator]

## restricted URLs
/manage.html** = authcBasic,roles[administrator]
/*/data/**     = authcBasic,roles[administrator]
/*/upload/**   = authcBasic,roles[administrator]
/*/delete/**   = authcBasic,roles[administrator]
/*/update/**   = authcBasic,roles[administrator]

# Everything else
/**=anon
#-- END shiro.ini attempt for anonymous: read only -------------

Re: How to prevent data set action “remove” for read only sparql data (FUSEKI 3.14.0)

Posted by Andy Seaborne <an...@apache.org>.

Andreas,

The example of a read-only configuration is for publishing read-only 
widely.  Any application.

The interface is for administration, control and development. It is by 
default restricted to localhost connections - in fact, it has to be the 
loopback interface, not even the local machines network IP address will 
work, only 127.0.0.1 or [::1] works.

     Andy

On 31/03/2020 14:42, Dan Pritts wrote:
> One way would be to put fuseki behind a proxy.  If that proxy is apache 
> httpd the following should do the trick:
> 
>      RewriteEngine On
>      RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS)
>      RewriteRule .* - [F]
> 
> This specifically allows only the GET POST HEAD and OPTIONS verbs, you 
> can add others if you need them.
> 
> Dan Pritts
> ICPSR Computing and Network Services
> 
> On 31 Mar 2020, at 6:19, Andreas Plank wrote:
> 
>> Hej-hej,
>>
>> (I’m new, please forgive me if the system posted twice.)
>>
>> How is it possible to get the Fuseki Web app (really) read only for 
>> data sets where also the tab manage => button “remove” does not appear?
>>
>> I’have started 
>> https://issues.apache.org/jira/projects/JENA/issues/JENA-1874 but I 
>> was asked to ask here and until now I have no solution yet for:
>> * making a data set complete read only
>> * let the Fuseki Interface not work on (remove, delete, update etc.)
>>
>> So far
>> * I can manage to prevent update URL (via shiro.ini)
>> * I can manage to prevent upload URL (via shiro.ini)
>> * but I can not manage to prevent the Request Method: DELETE
>>
>> It is not clear to me how to apply in the shiro.ini the filter name 
>> “rest”, which—as far as I understand it—is available by default and 
>> comes from 
>> org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter, but I 
>> can not figure out how to prevent Request Method: DELETE
>>
>> Thank you for your help, kind regards
>> Andreas
>

Re: How to prevent data set action “remove” for read only sparql data (FUSEKI 3.14.0)

Posted by Dan Pritts <da...@umich.edu>.

One way would be to put fuseki behind a proxy.  If that proxy is apache 
httpd the following should do the trick:

	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS)
	RewriteRule .* - [F]

This specifically allows only the GET POST HEAD and OPTIONS verbs, you 
can add others if you need them.

Dan Pritts
ICPSR Computing and Network Services

On 31 Mar 2020, at 6:19, Andreas Plank wrote:

> Hej-hej,
>
> (I’m new, please forgive me if the system posted twice.)
>
> How is it possible to get the Fuseki Web app (really) read only for 
> data sets where also the tab manage => button “remove” does not 
> appear?
>
> I’have started 
> https://issues.apache.org/jira/projects/JENA/issues/JENA-1874 but I 
> was asked to ask here and until now I have no solution yet for:
> * making a data set complete read only
> * let the Fuseki Interface not work on (remove, delete, update etc.)
>
> So far
> * I can manage to prevent update URL (via shiro.ini)
> * I can manage to prevent upload URL (via shiro.ini)
> * but I can not manage to prevent the Request Method: DELETE
>
> It is not clear to me how to apply in the shiro.ini the filter name 
> “rest”, which—as far as I understand it—is available by 
> default and comes from 
> org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter, but I 
> can not figure out how to prevent Request Method: DELETE
>
> Thank you for your help, kind regards
> Andreas

How to prevent data set action ���remove��� for read only sparql data (FUSEKI 3.14.0)

Re: How to prevent data set action ���������remove��������� for read only sparql data (FUSEKI 3.14.0)

Re: How to prevent data set action “remove” for read only sparql data (FUSEKI 3.14.0)

Re: How to prevent data set action “remove” for read only sparql data (FUSEKI 3.14.0)

How to prevent data set action ��remove�� for read only sparql data (FUSEKI 3.14.0)

Re: How to prevent data set action ��remove�� for read only sparql data (FUSEKI 3.14.0)