You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@marmotta.apache.org by Fabian Cretton <Fa...@hevs.ch> on 2014/09/26 14:40:17 UTC
Restricting access to web services - how do clients provide
credentials ?
Hi,
(Here a newbie question again, sorry about that)
I would like clients of the platform to need authentification, for instance calling the SPARQL select web service.
My current client application is a simple .html page based on marmotta.js.
I did set the security profile to "restricted".
Than the security parameters concerning SPARQL select look like:
security.permission.sparql_query.methods: GET,POST,OPTIONS
security.permission.sparql_query.pattern: /sparql/select
security.permission.sparql_query.priority: 5
Here the calls to marmottaClient.sparqlClient.select() from my .html page still work as expected (and succeed).
Thus I did add a new value:
security.permission.sparql_query.roles: user
Now the calls to sparqlClient.select() do fail, as expected.
And the administration interfaces work well too.
But then, how can the client now specify the credential to access the platform ?
I haven't found any information about that in marmotta.js.
I did look for information in the forum, also without success.
I see now that the php and java clients implementation do provide "clientConfiguration" mechanism.
Is it just not implemented yet for the javascript client ? if so, I could implement it based on the java/php implementations.
Thank you for any hint
Fabian
Re: Rép. : Re: Restricting access to web services - how do clients provide credentials ?
Posted by Sergio Fernández <wi...@apache.org>.
On 30/09/14 13:43, Fabian Cretton wrote:
> I made a trial with a marmotta.js based on jquery instead of the
> current one. But I got to the same point:
> Without security, the calls work, but if I try to specify an http
> authentication, the call fails (return status 0).
If you'd find the jQuery relevant and stable, please provide a patch.
> Thus, is my problem related to "cross-origin" ?
> If so, do I have to ask if Marmotta does handle CORS ?
CORS is handled by the platform. Are you using the default webapp
launcher or a custom one? Try to find out if the CORS filter is
available by inspecting the dependency tree:
mvn dependency:tree | grep cors
Another idea would be to try to reproduce the request with 'curl -i' to
debug the issue.
Cheers,
--
Sergio Fernández
Partner Technology Manager
Redlink GmbH
m: +43 660 2747 925
e: sergio.fernandez@redlink.co
w: http://redlink.co
Rép. : Re: Restricting access to web services - how do clients provide credentials ?
Posted by Fabian Cretton <Fa...@hevs.ch>.
To clarify the context, I am trying the client on my own .html page,
outside of the Marmotta interface.
I made a trial with a marmotta.js based on jquery instead of the
current one. But I got to the same point:
Without security, the calls work, but if I try to specify an http
authentication, the call fails (return status 0).
Thus, is my problem related to "cross-origin" ?
If so, do I have to ask if Marmotta does handle CORS ?
Thanks
Fabian
>>> "Fabian Cretton" <Fa...@hevs.ch> 29.09.2014 09:01 >>>
Thank you Sergio,
Once I can make the marmotta.js work with HTTP Basic Authentication, I
could add some information to "security/admin/about.html" about that.
But so far, I have not been successful, and this is what I tried:
- I want a 'user' authentication to perform SPARQL select calls, so I
did add:
security.permission.sparql_query.roles: user
- I did create a new user 'fabian' pwd 'fabian', with only a 'user'
role.
- security.method is set to 'BASIC'
The authentication from the marmotta interface does work as expected.
Then I did change marmotta.js from:
request.open(method, _url, true);
if(method=="PUT"||method=="POST")request.setRequestHeader("Content-Type",mimetype);
if(method=="GET")request.setRequestHeader("Accept",mimetype);
request.send( data );
To:
request.open(method, _url, true);
if(method=="PUT"||method=="POST")request.setRequestHeader("Content-Type",mimetype);
if(method=="GET")request.setRequestHeader("Accept",mimetype);
request.setRequestHeader("Authorization", "Basic " +
Base64.encode("fabian:fabian"));
request.send( data );
I think the Base64 I found here [1] is correct, and i also tried with a
btoa("fabian:fabian") with the same result.
Nevertheless, my SPARQL select call does return with an error and this
message: "(Unknown or not implmented)"
If I don't add the new line to set the "Authorization" header, then I
get the following message as expected: "(Unauthorized)"
Thank you for any help
Fabian
[1] www.webtoolkit.info/javascript-base64.html
>>> Sergio Fernández<wi...@apache.org> 26.09.2014 17:24 >>>
Hi Fabian,
On 26/09/14 14:40, Fabian Cretton wrote:
> But then, how can the client now specify the credential to access the
platform ?
> I haven't found any information about that in marmotta.js.
> I did look for information in the forum, also without success.
>
> I see now that the php and java clients implementation do provide
"clientConfiguration" mechanism.
> Is it just not implemented yet for the javascript client ? if so, I
could implement it based on the java/php implementations.
Yes, the client should support HTTP Basic Authentication. And I think
JS
client does not.
I have to admit that the client library is not so well maintained, so
you may find some issues. For instance the JS client library is based
on
raw XMLHttpRequest objects, but at some point we should migrate to a
higher level and more portable library, such as jQuery.
All patches would be welcomed! Also, all the help updating the
documentation would be appreciated, because as you can see right now
the
information is not good enough for new users:
http://marmotta.apache.org/platform/security-module.html
Cheers,
--
Sergio Fernández
Partner Technology Manager
Redlink GmbH
m: +43 660 2747 925
e: sergio.fernandez@redlink.co
w: http://redlink.co
Re: Restricting access to web services - how do clients provide credentials
?
Posted by Sergio Fernández <wi...@apache.org>.
HI Fabian,
On 29/09/14 09:01, Fabian Cretton wrote:
> request.open(method, _url, true);
> if(method=="PUT"||method=="POST")request.setRequestHeader("Content-Type",mimetype);
> if(method=="GET")request.setRequestHeader("Accept",mimetype);
> request.setRequestHeader("Authorization", "Basic " +
> Base64.encode("fabian:fabian"));
> request.send( data );
>
> I think the Base64 I found here [1] is correct, and i also tried with a
> btoa("fabian:fabian") with the same result.
I'm not an js expert, I'm neither sure is we use base64 encoding in out
Basic Auth, but have you tried something like:
request.setRequestHeader(
"Authorization",
"Basic "+window.btoa(user+':'+pass));
> Nevertheless, my SPARQL select call does return with an error and this
> message: "(Unknown or not implmented)"
First check in the query ui that the query is valid and deliver the
expected results. In Marmotta 3.3.0 we're working on a huge batch of
improvements for SPARQL.
> If I don't add the new line to set the "Authorization" header, then I
> get the following message as expected: "(Unauthorized)"
Well, that, expected.
For allowing you to actually work, what about changing
'security.enabled' to 'false' in the meantime?
Cheers,
--
Sergio Fernández
Partner Technology Manager
Redlink GmbH
m: +43 660 2747 925
e: sergio.fernandez@redlink.co
w: http://redlink.co
Rép. : Re: Restricting access to web services - how do clients provide credentials ?
Posted by Fabian Cretton <Fa...@hevs.ch>.
Thank you Sergio,
Once I can make the marmotta.js work with HTTP Basic Authentication, I
could add some information to "security/admin/about.html" about that.
But so far, I have not been successful, and this is what I tried:
- I want a 'user' authentication to perform SPARQL select calls, so I
did add:
security.permission.sparql_query.roles: user
- I did create a new user 'fabian' pwd 'fabian', with only a 'user'
role.
- security.method is set to 'BASIC'
The authentication from the marmotta interface does work as expected.
Then I did change marmotta.js from:
request.open(method, _url, true);
if(method=="PUT"||method=="POST")request.setRequestHeader("Content-Type",mimetype);
if(method=="GET")request.setRequestHeader("Accept",mimetype);
request.send( data );
To:
request.open(method, _url, true);
if(method=="PUT"||method=="POST")request.setRequestHeader("Content-Type",mimetype);
if(method=="GET")request.setRequestHeader("Accept",mimetype);
request.setRequestHeader("Authorization", "Basic " +
Base64.encode("fabian:fabian"));
request.send( data );
I think the Base64 I found here [1] is correct, and i also tried with a
btoa("fabian:fabian") with the same result.
Nevertheless, my SPARQL select call does return with an error and this
message: "(Unknown or not implmented)"
If I don't add the new line to set the "Authorization" header, then I
get the following message as expected: "(Unauthorized)"
Thank you for any help
Fabian
[1] www.webtoolkit.info/javascript-base64.html
>>> Sergio Fernández<wi...@apache.org> 26.09.2014 17:24 >>>
Hi Fabian,
On 26/09/14 14:40, Fabian Cretton wrote:
> But then, how can the client now specify the credential to access the
platform ?
> I haven't found any information about that in marmotta.js.
> I did look for information in the forum, also without success.
>
> I see now that the php and java clients implementation do provide
"clientConfiguration" mechanism.
> Is it just not implemented yet for the javascript client ? if so, I
could implement it based on the java/php implementations.
Yes, the client should support HTTP Basic Authentication. And I think
JS
client does not.
I have to admit that the client library is not so well maintained, so
you may find some issues. For instance the JS client library is based
on
raw XMLHttpRequest objects, but at some point we should migrate to a
higher level and more portable library, such as jQuery.
All patches would be welcomed! Also, all the help updating the
documentation would be appreciated, because as you can see right now
the
information is not good enough for new users:
http://marmotta.apache.org/platform/security-module.html
Cheers,
--
Sergio Fernández
Partner Technology Manager
Redlink GmbH
m: +43 660 2747 925
e: sergio.fernandez@redlink.co
w: http://redlink.co
Re: Restricting access to web services - how do clients provide credentials
?
Posted by Sergio Fernández <wi...@apache.org>.
Hi Fabian,
On 26/09/14 14:40, Fabian Cretton wrote:
> But then, how can the client now specify the credential to access the platform ?
> I haven't found any information about that in marmotta.js.
> I did look for information in the forum, also without success.
>
> I see now that the php and java clients implementation do provide "clientConfiguration" mechanism.
> Is it just not implemented yet for the javascript client ? if so, I could implement it based on the java/php implementations.
Yes, the client should support HTTP Basic Authentication. And I think JS
client does not.
I have to admit that the client library is not so well maintained, so
you may find some issues. For instance the JS client library is based on
raw XMLHttpRequest objects, but at some point we should migrate to a
higher level and more portable library, such as jQuery.
All patches would be welcomed! Also, all the help updating the
documentation would be appreciated, because as you can see right now the
information is not good enough for new users:
http://marmotta.apache.org/platform/security-module.html
Cheers,
--
Sergio Fernández
Partner Technology Manager
Redlink GmbH
m: +43 660 2747 925
e: sergio.fernandez@redlink.co
w: http://redlink.co