You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by bu...@apache.org on 2015/07/26 12:53:57 UTC
svn commit: r959630 [1/2] - in /websites/staging/jena/trunk/content: ./
documentation/permissions/ documentation/security/
Author: buildbot
Date: Sun Jul 26 10:53:56 2015
New Revision: 959630
Log:
Staging update by buildbot for jena
Added:
websites/staging/jena/trunk/content/documentation/permissions/
websites/staging/jena/trunk/content/documentation/permissions/assembler.html
websites/staging/jena/trunk/content/documentation/permissions/design.html
websites/staging/jena/trunk/content/documentation/permissions/evaluator.html
websites/staging/jena/trunk/content/documentation/permissions/example.html
websites/staging/jena/trunk/content/documentation/permissions/index.html
websites/staging/jena/trunk/content/documentation/permissions/migration2To3.html
Removed:
websites/staging/jena/trunk/content/documentation/security/
Modified:
websites/staging/jena/trunk/content/ (props changed)
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sun Jul 26 10:53:56 2015
@@ -1 +1 @@
-1692709
+1692710
Added: websites/staging/jena/trunk/content/documentation/permissions/assembler.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/permissions/assembler.html (added)
+++ websites/staging/jena/trunk/content/documentation/permissions/assembler.html Sun Jul 26 10:53:56 2015
@@ -0,0 +1,224 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <title>Apache Jena - Jena Permissions - Assembler For a Secured Model</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
+ <link href="/css/jena.css" rel="stylesheet" type="text/css">
+ <link rel="shortcut icon" href="/images/favicon.ico" />
+
+ <script src="https://code.jquery.com/jquery-2.0.3.min.js"></script>
+ <script src="/js/jena-navigation.js" type="text/javascript"></script>
+ <script src="/js/bootstrap.min.js" type="text/javascript"></script>
+ <script src="/js/breadcrumbs.js" type="text/javascript"></script>
+
+ <script src="/js/improve.js" type="text/javascript"></script>
+
+
+ <!-- Uncomment to enable code coloring <link href="/css/codehilite.css" rel="stylesheet" type="text/css"> -->
+
+</head>
+
+<body>
+
+
+
+<nav class="navbar navbar-default" role="navigation">
+<div class="container">
+ <div class="navbar-header">
+
+ <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/index.html">
+ <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
+ </div>
+
+ <div class="collapse navbar-collapse navbar-ex1-collapse">
+ <ul class="nav navbar-nav">
+ <li id="homepage"><a href="/index.html"><span class="glyphicon glyphicon-home"></span> Home</a></li>
+ <li id="download"><a href="/download/index.cgi"><span class="glyphicon glyphicon-download-alt"></span> Download</a></li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li class="dropdown-header">Tutorials</li>
+ <li><a href="/tutorials/index.html">Overview</a></li>
+ <li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
+ <li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
+ <li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
+ <li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
+ <li><a href="/documentation/notes/index.html">How-To's</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">References</li>
+ <li><a href="/documentation/index.html">Overview</a></li>
+ <li><a href="/documentation/javadoc/">Javadoc</a></li>
+ <li><a href="/documentation/rdf/index.html">RDF API</a></li>
+ <li><a href="/documentation/io/">RDF I/O</a></li>
+ <li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
+ <li><a href="/documentation/hadoop/index.html">Elephas - tools for RDF on Hadoop</a></li>
+ <li><a href="/documentation/query/text-query.html">Text Search</a></li>
+ <li><a href="/documentation/tdb/index.html">TDB</a></li>
+ <li><a href="/documentation/sdb/index.html">SDB</a></li>
+ <li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
+ <li><a href="/documentation/fuseki2/index.html">Fuseki</a></li>
+ <li><a href="/documentation/permissions/index.html">Permissions</a></li>
+ <li><a href="/documentation/assembler/index.html">Assembler</a></li>
+ <li><a href="/documentation/ontology/">Ontology API</a></li>
+ <li><a href="/documentation/inference/index.html">Inference API</a></li>
+ <li><a href="/documentation/tools/index.html">Command-line tools</a></li>
+ <li><a href="/documentation/extras/index.html">Extras</a></li>
+ </ul>
+ </li>
+
+ <li class="drop down">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
+ <li><a href="/documentation/javadoc/arq/">ARQ</a></li>
+ <li><a href="/documentation/javadoc/tdb/">TDB</a></li>
+ <li><a href="/documentation/javadoc/elephas/">Elephas</a></li>
+ <li><a href="/documentation/javadoc/text/">Text Search</a></li>
+ <li><a href="/documentation/javadoc/spatial/">Spatial Search</a></li>
+ <li><a href="/documentation/javadoc/security/">Security</a></li>
+ <li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
+ <li><a href="/documentation/javadoc/">All Javadoc</a></li>
+ </ul>
+ </li>
+
+ <li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon glyphicon-question-sign"></span> Ask</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/getting_involved/index.html">Contribute</a></li>
+ <li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">Project</li>
+ <li><a href="/about_jena/about.html">About Jena</a></li>
+ <li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+ <li><a href="/about_jena/architecture.html">Architecture</a></li>
+ <li><a href="/about_jena/team.html">Project team</a></li>
+ <li><a href="/about_jena/contributions.html">Related projects</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">ASF</li>
+ <li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+
+ <li id="edit"><a href="javascript:improveThisPage(location.href);" title="Improve this Page (Use username anonymous and empty password)"><span class="glyphicon glyphicon-pencil"></span> Improve this Page</a></li>
+ </ul>
+ </div>
+</div>
+</nav>
+
+
+<div class="container">
+ <div class="row">
+ <div class="col-md-12">
+ <div id="breadcrumbs"></div>
+ <h1 class="title">Jena Permissions - Assembler For a Secured Model</h1>
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<p>Jena Permissions provides a standard Jena assembler making it easy to use the <code>SecuredModel</code> in an Assembler based environment. To use the permissions assembler the assembler file must contain the lines:</p>
+<div class="codehilite"><pre><span class="p">[]</span> <span class="n">ja</span><span class="p">:</span><span class="n">loadClass</span> "<span class="n">org</span><span class="p">.</span><span class="n">apache</span><span class="p">.</span><span class="n">jena</span><span class="p">.</span><span class="n">permissions</span><span class="p">.</span><span class="n">SecuredAssembler</span>" <span class="p">.</span>
+ <span class="nb">sec</span><span class="p">:</span><span class="n">Model</span> <span class="n">rdfs</span><span class="p">:</span><span class="n">subClassOf</span> <span class="n">ja</span><span class="p">:</span><span class="n">NamedModel</span> <span class="p">.</span>
+</pre></div>
+
+
+<p>The secured assembler provides XXXXXXXXXXXx properties for the assembler files.</p>
+<p>Assuming we define</p>
+<div class="codehilite"><pre> <span class="p">@</span><span class="n">prefix</span> <span class="nb">sec</span><span class="p">:</span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">apache</span><span class="p">.</span><span class="n">org</span><span class="o">/</span><span class="n">jena</span><span class="o">/</span><span class="n">permissions</span><span class="o">/</span><span class="n">Assembler</span>#<span class="o">></span> <span class="p">.</span>
+</pre></div>
+
+
+<p>Then the following resources are defined</p>
+<p><code>sec:Model</code> - A secured model. One against which the security evaluator is running access checks. All sec:Model instances must have a ja:ModelName to identify it to the <code>SecurityEvaluator</code></p>
+<p><code>sec:Evaluator</code> - An instance of <code>SecurityEvaluator</code>.</p>
+<p>The following are properties are also defined:</p>
+<p><code>sec:evaluatorFactory</code> - Identifies the class name of a factory class that implements a no-argument <code>getInstance()</code> method that returns an instance of <code>SecurityEvaluator</code>.</p>
+<p><code>sec:baseModel</code> - Identifies the ja:Model that is to have permissions applied to it.</p>
+<p><code>sec:evaluatorImpl</code> - Identifies an instance of <code>SecurityEvaluator</code>.</p>
+<p><code>sec:evaluatorClass</code> - Identifies a class that implements <code>SecurityEvaluator</code></p>
+<p><code>sec:args</code> - Identifies arguments to the sec:evaluatorClass constructor.</p>
+<p>The secured assembler provides two (2) mechanisms to create a secured graph. The first is to use a <code>SecurityEvaluator</code> factory</p>
+<div class="codehilite"><pre><span class="n">my</span><span class="o">:</span><span class="n">securedModel</span> <span class="n">rdf</span><span class="o">:</span><span class="n">type</span> <span class="n">sec</span><span class="o">:</span><span class="n">Model</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">baseModel</span> <span class="n">my</span><span class="o">:</span><span class="n">baseModel</span> <span class="o">;</span>
+ <span class="n">ja</span><span class="o">:</span><span class="n">modelName</span> <span class="s2">"https://example.org/securedBaseModel"</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">evaluatorFactory</span> <span class="s2">"the.evaluator.factory.class.name"</span> <span class="o">.</span>
+</pre></div>
+
+
+<p>In the above example static method <code>getInstance()</code> is called on the.evaluator.factory.class.name and the result is used as the SecurityEvaluator. This is used to create a secured model (<code>my:securedModel</code>) that wraps the model <code>my:baseModel</code> and identifies itself to the <code>SecurityEvaluator</code> with the URI <code>"https://example.org/securedBaseModel"</code>. </p>
+<p>The second mechanism is to use the <code>sec:Evaluator</code> method.</p>
+<div class="codehilite"><pre><span class="n">my</span><span class="o">:</span><span class="n">secEvaluator</span> <span class="n">rdf</span><span class="o">:</span><span class="n">type</span> <span class="n">sec</span><span class="o">:</span><span class="n">Evaluator</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">args</span> <span class="o">[</span>
+ <span class="n">rdf</span><span class="o">:</span><span class="n">_1</span> <span class="n">my</span><span class="o">:</span><span class="n">secInfoModel</span> <span class="o">;</span>
+ <span class="o">]</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">evaluatorClass</span> <span class="s2">"your.implementation.SecurityEvaluator"</span>
+<span class="o">.</span>
+
+<span class="n">my</span><span class="o">:</span><span class="n">securedModel</span> <span class="n">rdf</span><span class="o">:</span><span class="n">type</span> <span class="n">sec</span><span class="o">:</span><span class="n">Model</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">baseModel</span> <span class="n">my</span><span class="o">:</span><span class="n">baseModel</span> <span class="o">;</span>
+ <span class="n">ja</span><span class="o">:</span><span class="n">modelName</span> <span class="s2">"https://example.org/securedBaseModel"</span> <span class="o">;</span>
+ <span class="n">sec</span><span class="o">:</span><span class="n">evaluatorImpl</span> <span class="n">my</span><span class="o">:</span><span class="n">secEvaluator</span> <span class="o">.</span>
+</pre></div>
+
+
+<p>In the above example <code>my:secEvaluator</code> is defined as a <code>sec:Evaluator</code> implemented by the class <code>"your.implementation.SecurityEvaluator"</code>. When the instance is constructed the constructor with one (1) argument is used and it is passed <code>my:secInfoModel</code> as an argument. <code>my:secInfoModel</code> may be any type supported by the assembler. If more than one argument is desired then <code>rdf:_2</code>, <code>rdf:_3</code>, <code>rdf:_4</code>, etc. may be added to the <code>sec:args</code> list. The <code>"your.implementation.SecurityEvaluator"</code> with the proper number of arguments will be called. It is an error to have more than one argument with the proper number of arguments. </p>
+<p>After construction the value of <code>my:securedModel</code> is used to construct the <code>my:securedModel</code> instance. This has the same properties as the previous example other than that the <code>SecurityEvaluator</code> instance is different.</p>
+ </div>
+</div>
+
+</div><!--/.container -->
+
+ <footer class="footer">
+ <div class="container">
+ <p>Copyright © 2011–2015 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ </p>
+ <p>
+ Apache Jena, Jena, the Apache Jena project logo,
+ Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </footer>
+
+
+</body>
+</html>
Added: websites/staging/jena/trunk/content/documentation/permissions/design.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/permissions/design.html (added)
+++ websites/staging/jena/trunk/content/documentation/permissions/design.html Sun Jul 26 10:53:56 2015
@@ -0,0 +1,225 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <title>Apache Jena - Jena Permissions - Design</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
+ <link href="/css/jena.css" rel="stylesheet" type="text/css">
+ <link rel="shortcut icon" href="/images/favicon.ico" />
+
+ <script src="https://code.jquery.com/jquery-2.0.3.min.js"></script>
+ <script src="/js/jena-navigation.js" type="text/javascript"></script>
+ <script src="/js/bootstrap.min.js" type="text/javascript"></script>
+ <script src="/js/breadcrumbs.js" type="text/javascript"></script>
+
+ <script src="/js/improve.js" type="text/javascript"></script>
+
+
+ <!-- Uncomment to enable code coloring <link href="/css/codehilite.css" rel="stylesheet" type="text/css"> -->
+
+</head>
+
+<body>
+
+
+
+<nav class="navbar navbar-default" role="navigation">
+<div class="container">
+ <div class="navbar-header">
+
+ <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/index.html">
+ <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
+ </div>
+
+ <div class="collapse navbar-collapse navbar-ex1-collapse">
+ <ul class="nav navbar-nav">
+ <li id="homepage"><a href="/index.html"><span class="glyphicon glyphicon-home"></span> Home</a></li>
+ <li id="download"><a href="/download/index.cgi"><span class="glyphicon glyphicon-download-alt"></span> Download</a></li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li class="dropdown-header">Tutorials</li>
+ <li><a href="/tutorials/index.html">Overview</a></li>
+ <li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
+ <li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
+ <li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
+ <li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
+ <li><a href="/documentation/notes/index.html">How-To's</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">References</li>
+ <li><a href="/documentation/index.html">Overview</a></li>
+ <li><a href="/documentation/javadoc/">Javadoc</a></li>
+ <li><a href="/documentation/rdf/index.html">RDF API</a></li>
+ <li><a href="/documentation/io/">RDF I/O</a></li>
+ <li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
+ <li><a href="/documentation/hadoop/index.html">Elephas - tools for RDF on Hadoop</a></li>
+ <li><a href="/documentation/query/text-query.html">Text Search</a></li>
+ <li><a href="/documentation/tdb/index.html">TDB</a></li>
+ <li><a href="/documentation/sdb/index.html">SDB</a></li>
+ <li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
+ <li><a href="/documentation/fuseki2/index.html">Fuseki</a></li>
+ <li><a href="/documentation/permissions/index.html">Permissions</a></li>
+ <li><a href="/documentation/assembler/index.html">Assembler</a></li>
+ <li><a href="/documentation/ontology/">Ontology API</a></li>
+ <li><a href="/documentation/inference/index.html">Inference API</a></li>
+ <li><a href="/documentation/tools/index.html">Command-line tools</a></li>
+ <li><a href="/documentation/extras/index.html">Extras</a></li>
+ </ul>
+ </li>
+
+ <li class="drop down">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
+ <li><a href="/documentation/javadoc/arq/">ARQ</a></li>
+ <li><a href="/documentation/javadoc/tdb/">TDB</a></li>
+ <li><a href="/documentation/javadoc/elephas/">Elephas</a></li>
+ <li><a href="/documentation/javadoc/text/">Text Search</a></li>
+ <li><a href="/documentation/javadoc/spatial/">Spatial Search</a></li>
+ <li><a href="/documentation/javadoc/security/">Security</a></li>
+ <li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
+ <li><a href="/documentation/javadoc/">All Javadoc</a></li>
+ </ul>
+ </li>
+
+ <li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon glyphicon-question-sign"></span> Ask</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/getting_involved/index.html">Contribute</a></li>
+ <li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">Project</li>
+ <li><a href="/about_jena/about.html">About Jena</a></li>
+ <li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+ <li><a href="/about_jena/architecture.html">Architecture</a></li>
+ <li><a href="/about_jena/team.html">Project team</a></li>
+ <li><a href="/about_jena/contributions.html">Related projects</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">ASF</li>
+ <li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+
+ <li id="edit"><a href="javascript:improveThisPage(location.href);" title="Improve this Page (Use username anonymous and empty password)"><span class="glyphicon glyphicon-pencil"></span> Improve this Page</a></li>
+ </ul>
+ </div>
+</div>
+</nav>
+
+
+<div class="container">
+ <div class="row">
+ <div class="col-md-12">
+ <div id="breadcrumbs"></div>
+ <h1 class="title">Jena Permissions - Design</h1>
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<p>Jena-permissions is designed to allow integrators to implement almost any security policy. Fundamentally it works by implementing dynamic proxies on top of the Jena Graph and Model interfaces as well as objects returned by those interfaces. The proxy verifies that the actions on those objects are permitted by the policy before allowing the actions to proceed.</p>
+<p>The graph or model is created by the <code>org.apache.jena.permissions.Factory</code> object by wrapping a Graph or Model implementation and associating it with a URI (<code>graphIRI</code>) and a SecurityEvaluator implementation. The <code>graphIRI</code> is the URI that will be used to identify the graph/model to the security evaluator.</p>
+<p>The SecurityEvaluator is an object implemented by the integrator to perform the necessary permission checks. A discussion of the SecurityEvaluator implementation can be found in the <a href="evaluator.html">Security Evaluator</a> documentation.</p>
+<p>Access to methods in secured objects are determined by the CRUD (Create, Read, Update and Delete) permissions assigned to the user.</p>
+<p>The system is designed to allow shallow (graph/model level) or deep (triple/statement level) decisions.</p>
+<p>When a secured method is called the system performs the following checks in order:</p>
+<ul>
+<li>
+<p>Determines if the user has proper access to the underlying graph/model. Generally the required permission is Update (for add or delete methods), or Read.</p>
+</li>
+<li>
+<p>If the user has access to the graph/model determine if the user has permission to execute the method against <strong>all</strong> triples/statements in the graph/model. This is performed by calling <code>SecurityEvaluator.evaluate(principal, action, graphIRI, Triple.ANY)</code>. If the evaluator returns <code>true</code> then the action is permitted. This is general case for shallow permission systems. For deep permissions systems <code>false</code> may be returned.</p>
+</li>
+<li>
+<p>if the user does not have permission to execute the method against <strong>all</strong> triples/statements the <code>SecurityEvaluator.evaluate(principal, action, graphIRI, triple)</code> method is called with the specific triple (note special cases below). If the evaluator returns <code>true</code> the action is permitted, otherwise a properly detailed PermissionDeniedException is thrown.</p>
+</li>
+</ul>
+<h1 id="special-cases">Special Cases<a class="headerlink" href="#special-cases" title="Permanent link">¶</a></h1>
+<h2 id="securityevaluatorfuture">SecurityEvaluator.FUTURE<a class="headerlink" href="#securityevaluatorfuture" title="Permanent link">¶</a></h2>
+<p>There are a couple of special cases where the Node/Resource is not known when the permission check is made. An example is the creation of a RDF List object. For example to create an empty list the following triple/statement must be constructed:</p>
+<div class="codehilite"><pre><span class="n">_</span><span class="o">:</span><span class="n">b1</span> <span class="n">rdf</span><span class="o">:</span><span class="n">first</span> <span class="n">rdf</span><span class="o">:</span><span class="n">nil</span> <span class="o">.</span>
+</pre></div>
+
+
+<p>However, the permissions system can not know the value of <code>_:b1</code> until after the triple/statement is constructed and added to the graph/model. To handle this situation the permissions system asks the evaluator to evaluate the triple: <code>(SecurityEvaluator.FUTURE, RDF.first, RDF.nill)</code> Similar situations are found when adding to a list, creating reified statements, RDF alt objects, RDF sequences, or RDF anonymous resources of a specific type.</p>
+<h2 id="securityevaluatorvariable">SecurityEvaluator.VARIABLE<a class="headerlink" href="#securityevaluatorvariable" title="Permanent link">¶</a></h2>
+<p>The <code>Node.ANY</code> node is used to identify the case where any node may be returned. Specifically it asks can the user perform the action on <strong>All</strong> the nodes in this position in the triple. For example:</p>
+<div class="codehilite"><pre> <span class="n">Node</span><span class="p">.</span><span class="n">ANY</span> <span class="n">RDF</span><span class="p">:</span><span class="n">type</span> <span class="n">FOAF</span><span class="p">:</span><span class="n">Person</span>
+</pre></div>
+
+
+<p>asks if the operation can be performed on all of the nodes of type FOAF:Person.</p>
+<p>The <code>SecurityEvaluator.VARIABLE</code> differs from <code>Node.ANY</code> in that the system is asking if there are any prohibitions not if the user may perform. Thus queries with the <code>VARIABLE</code> type node should return <code>true</code> where <code>ANY</code>
+returns <code>false</code>. In general this type is used in query evaluation to determine if triple level filtering of results must be performed. Thus:</p>
+<div class="codehilite"><pre> <span class="n">SecurityEvaluator</span><span class="p">.</span><span class="n">VARIABLE</span> <span class="n">RDF</span><span class="p">:</span><span class="n">type</span> <span class="n">FOAF</span><span class="p">:</span><span class="n">Person</span>
+</pre></div>
+
+
+<p>asks if there are any restrictions against the user performing the action against all triples of type FOAF:Person. The assumption is that checking for restrictions may be a faster check than checking for all access. Note that by returning <code>true</code> the permissions system will check each explicit triple for access permissions. So if the system can not determine if there are access restrictions it is safe to return <code>true</code>.</p>
+<h1 id="objects-returned-from-secured-objects">Objects Returned from Secured Objects<a class="headerlink" href="#objects-returned-from-secured-objects" title="Permanent link">¶</a></h1>
+<p>Models and Graphs often return objects from methods. For example the <code>model.createStatement()</code> returns a <code>Statement</code> object. That object holds a reference to the model and performs operations against the model (for example <code>Statement.changeLiteralObject()</code>). Since permissions provides a dynamic wrapper around the base model to create the secured model, returning the model <code>Statement</code> would return an object that no longer has any permissions applied. Therefore the permissions system creates a <code>SecuredStatement</code> that applies permission checks to all operations before calling the base <code>Statement</code> methods.</p>
+<p>All secured objects return secured objects if those objects may read or alter the underlying graph/model.</p>
+<p>All secured objects are defined as interfaces and are returned as dynamic proxies.</p>
+<p>All secured objects have concrete implementations. These implementations must remain concrete to ensure that we handle all cases where returned objects may alter the the underlying graph/model.</p>
+<h2 id="secured-listeners">Secured Listeners<a class="headerlink" href="#secured-listeners" title="Permanent link">¶</a></h2>
+<p>Both the Graph and the Model interfaces provide a listener framework. Listeners are attached to the graph/model and changes to the graph/model are reported to them. In order to ensure that listeners do not leak information, the principal that was active when the listener was attached is preserved in a <code>CachedSecurityEvaluator</code> instance. This security evaluator implementation, wraps the original implementation and retains the current user. Thus when the listener performs the permission checks the original user is used not the current user. This is why the SecurityEvaluator <strong>must</strong> use the <code>principal</code> parameters and not call <code>getPrinciapl()</code> directly during evaluation calls.</p>
+<h1 id="proxy-implementation">Proxy Implementation<a class="headerlink" href="#proxy-implementation" title="Permanent link">¶</a></h1>
+<p>The proxy implementation is uses a reflection <code>InvocationHandler</code> strategy. This strategy results in a proxy that implements all the interfaces of the original object. The original object along with its <code>InvocationHandler</code> instance are kept together in an <code>ItemHolder</code> instance variable in the secured instance. When the invoker is called it determines if the called method is on the secured interface or not. If the method is on the secured interface the invocation handler method is called, otherwise the method on the base class is called.</p>
+ </div>
+</div>
+
+</div><!--/.container -->
+
+ <footer class="footer">
+ <div class="container">
+ <p>Copyright © 2011–2015 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ </p>
+ <p>
+ Apache Jena, Jena, the Apache Jena project logo,
+ Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </footer>
+
+
+</body>
+</html>
Added: websites/staging/jena/trunk/content/documentation/permissions/evaluator.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/permissions/evaluator.html (added)
+++ websites/staging/jena/trunk/content/documentation/permissions/evaluator.html Sun Jul 26 10:53:56 2015
@@ -0,0 +1,360 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <title>Apache Jena - Jena Permissions - SecurityEvaluator implementation</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
+ <link href="/css/jena.css" rel="stylesheet" type="text/css">
+ <link rel="shortcut icon" href="/images/favicon.ico" />
+
+ <script src="https://code.jquery.com/jquery-2.0.3.min.js"></script>
+ <script src="/js/jena-navigation.js" type="text/javascript"></script>
+ <script src="/js/bootstrap.min.js" type="text/javascript"></script>
+ <script src="/js/breadcrumbs.js" type="text/javascript"></script>
+
+ <script src="/js/improve.js" type="text/javascript"></script>
+
+
+ <!-- Uncomment to enable code coloring <link href="/css/codehilite.css" rel="stylesheet" type="text/css"> -->
+
+</head>
+
+<body>
+
+
+
+<nav class="navbar navbar-default" role="navigation">
+<div class="container">
+ <div class="navbar-header">
+
+ <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/index.html">
+ <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
+ </div>
+
+ <div class="collapse navbar-collapse navbar-ex1-collapse">
+ <ul class="nav navbar-nav">
+ <li id="homepage"><a href="/index.html"><span class="glyphicon glyphicon-home"></span> Home</a></li>
+ <li id="download"><a href="/download/index.cgi"><span class="glyphicon glyphicon-download-alt"></span> Download</a></li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li class="dropdown-header">Tutorials</li>
+ <li><a href="/tutorials/index.html">Overview</a></li>
+ <li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
+ <li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
+ <li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
+ <li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
+ <li><a href="/documentation/notes/index.html">How-To's</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">References</li>
+ <li><a href="/documentation/index.html">Overview</a></li>
+ <li><a href="/documentation/javadoc/">Javadoc</a></li>
+ <li><a href="/documentation/rdf/index.html">RDF API</a></li>
+ <li><a href="/documentation/io/">RDF I/O</a></li>
+ <li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
+ <li><a href="/documentation/hadoop/index.html">Elephas - tools for RDF on Hadoop</a></li>
+ <li><a href="/documentation/query/text-query.html">Text Search</a></li>
+ <li><a href="/documentation/tdb/index.html">TDB</a></li>
+ <li><a href="/documentation/sdb/index.html">SDB</a></li>
+ <li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
+ <li><a href="/documentation/fuseki2/index.html">Fuseki</a></li>
+ <li><a href="/documentation/permissions/index.html">Permissions</a></li>
+ <li><a href="/documentation/assembler/index.html">Assembler</a></li>
+ <li><a href="/documentation/ontology/">Ontology API</a></li>
+ <li><a href="/documentation/inference/index.html">Inference API</a></li>
+ <li><a href="/documentation/tools/index.html">Command-line tools</a></li>
+ <li><a href="/documentation/extras/index.html">Extras</a></li>
+ </ul>
+ </li>
+
+ <li class="drop down">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
+ <li><a href="/documentation/javadoc/arq/">ARQ</a></li>
+ <li><a href="/documentation/javadoc/tdb/">TDB</a></li>
+ <li><a href="/documentation/javadoc/elephas/">Elephas</a></li>
+ <li><a href="/documentation/javadoc/text/">Text Search</a></li>
+ <li><a href="/documentation/javadoc/spatial/">Spatial Search</a></li>
+ <li><a href="/documentation/javadoc/security/">Security</a></li>
+ <li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
+ <li><a href="/documentation/javadoc/">All Javadoc</a></li>
+ </ul>
+ </li>
+
+ <li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon glyphicon-question-sign"></span> Ask</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/getting_involved/index.html">Contribute</a></li>
+ <li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">Project</li>
+ <li><a href="/about_jena/about.html">About Jena</a></li>
+ <li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+ <li><a href="/about_jena/architecture.html">Architecture</a></li>
+ <li><a href="/about_jena/team.html">Project team</a></li>
+ <li><a href="/about_jena/contributions.html">Related projects</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">ASF</li>
+ <li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+
+ <li id="edit"><a href="javascript:improveThisPage(location.href);" title="Improve this Page (Use username anonymous and empty password)"><span class="glyphicon glyphicon-pencil"></span> Improve this Page</a></li>
+ </ul>
+ </div>
+</div>
+</nav>
+
+
+<div class="container">
+ <div class="row">
+ <div class="col-md-12">
+ <div id="breadcrumbs"></div>
+ <h1 class="title">Jena Permissions - SecurityEvaluator implementation</h1>
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<h2 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link">¶</a></h2>
+<p>The SecurityEvaluator interface defines the access control operations. It provides the interface between the authentication (answers the question: "who are you?") and the authorization (answers the question: "what can you do?"), as such it provides access to the current principal (user). The javadocs contain detailed requirements for implementations of the SecurityEvaluator interface, short notes are provided below.</p>
+<p><strong>NOTE</strong> The permissions system caches intermediate results and will only call the evaluator if the answer is not already in the cache. There is little or advantage to implementing caching in the SecurityEvaluator itself.</p>
+<h3 id="actions">Actions<a class="headerlink" href="#actions" title="Permanent link">¶</a></h3>
+<p>Principals may perform Create, Read, Update or Delete operations on secured resources. These operations are defined in the <code>Action</code> enum in the SecurtyEvaluator interface.</p>
+<h3 id="node">Node<a class="headerlink" href="#node" title="Permanent link">¶</a></h3>
+<p>The permission system uses the standard Node.ANY to represent a wild-card in a permission check and the standard <code>Triple.ANY</code> to represent a triple with wild-cards in each of the three positions: subject, predicate and object.</p>
+<p>The permission system introduces two (2) new node types <code>SecurityEvaluator.VARIABLE</code>, which represents a variable in a permissions query, and <code>SecurityEvaluator.FUTURE</code>, which represents an anonymous node that will be created in the future.</p>
+<h3 id="evaluator-methods">Evaluator Methods<a class="headerlink" href="#evaluator-methods" title="Permanent link">¶</a></h3>
+<p>The SecurityEvaluator connects the Jena permissions system with the authentication system used by the application. The SecurityEvaluator must be able to query the authentication system, or its proxy, to determine who the "current user" is. In this context the "current user" is the one making the request. In certain instances (specifically when using listeners on secured graphs and models) the "current user" may not be the user identified by the authentication system at the time of the query. </p>
+<p>The SecurityEvaluator must implement the following methods. Any of these methods may throw an <code>AuthenticationRequriedException</code> if there is no authenticated user. </p>
+<p>Most of these methods have a <code>principal</code> parameter. The value of that parameter is guaranteed to be a value returned from an earlier calls to getPrincipal(). The <code>principal</code> parameter, not the "current user" as identified by <code>getPrincipal()</code>, should be used for the permissions evaluation.</p>
+<p>None of these methods should throw any of the PermissionDeniedException based exceptions. That is handled in a different layer.</p>
+<p>See the <a href="../javadoc/permissions/org/apache/jena/permissions/SecurityEvaluator.html">SecurityEvaluator javadocs</a> for detailed implementation notes. </p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if the action is permitted on the graph. </p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">triple</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if the action is allowed on the triple within the graph.</p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span> <span class="p">)</span><span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if all actions are allowed on the graph.</p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">triple</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if all the actions are allowed on the triple within the graph. </p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateAny</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if any of the actions are allowed on the graph.</p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateAny</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">triple</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if any of the actions are allowed on the triple within the graph.</p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateUpdate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">from</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">to</span> <span class="p">)</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Determine if the user is allowed to update the "from" triple to the "to" triple. </p>
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">Object</span> <span class="n">getPrincipal</span><span class="p">()</span> <span class="n">throws</span> <span class="n">AuthenticationRequiredException</span><span class="p">;</span>
+</pre></div>
+
+
+<p>Returns the current principal or null if there is no current principal. </p>
+<h2 id="sample-implementation">Sample Implementation<a class="headerlink" href="#sample-implementation" title="Permanent link">¶</a></h2>
+<p>This sample is for a graph that contains a set of messages, access to the messages are limited to
+principals that the messages are to or from. Any triple that is not a message is not affected. This
+implementation simply has a <code>setPrincipal(String name)</code> method. A real implementation would request the user principal or name from the authentication system. This implementation also requires access to the underlying model to determine if the user has access, however, that is not a requirement of the SecurityEvaluator in general. Determining access from the information provided is an exercise for the implementer. </p>
+<p>Note that this implementation does not vary based on the graph being evaluated (graphIRI). The <code>graphIRI</code> parameter is provided for implementations where such variance is desired. </p>
+<p>See the example jar for another implementation example.</p>
+<!-- language: lang-java -->
+
+<div class="codehilite"><pre><span class="n">public</span> <span class="n">class</span> <span class="n">ExampleEvaluator</span> <span class="n">implements</span> <span class="n">SecurityEvaluator</span> <span class="p">{</span>
+
+ <span class="n">private</span> <span class="n">Principal</span> <span class="n">principal</span><span class="p">;</span>
+ <span class="n">private</span> <span class="n">Model</span> <span class="n">model</span><span class="p">;</span>
+ <span class="n">private</span> <span class="n">RDFNode</span> <span class="n">msgType</span> <span class="p">=</span> <span class="n">ResourceFactory</span><span class="p">.</span><span class="n">createResource</span><span class="p">(</span> "<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">msg</span>" <span class="p">);</span>
+ <span class="n">private</span> <span class="n">Property</span> <span class="n">pTo</span> <span class="p">=</span> <span class="n">ResourceFactory</span><span class="p">.</span><span class="n">createProperty</span><span class="p">(</span> "<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">to</span>" <span class="p">);</span>
+ <span class="n">private</span> <span class="n">Property</span> <span class="n">pFrom</span> <span class="p">=</span> <span class="n">ResourceFactory</span><span class="p">.</span><span class="n">createProperty</span><span class="p">(</span> "<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">from</span>" <span class="p">);</span>
+
+ <span class="o">/**</span>
+ <span class="o">*</span>
+ <span class="o">*</span> <span class="p">@</span><span class="n">param</span> <span class="n">model</span> <span class="n">The</span> <span class="n">graph</span> <span class="n">we</span> <span class="n">are</span> <span class="n">going</span> <span class="n">to</span> <span class="n">evaluate</span> <span class="n">against</span><span class="p">.</span>
+ <span class="o">*/</span>
+ <span class="n">public</span> <span class="n">ExampleEvaluator</span><span class="p">(</span> <span class="n">Model</span> <span class="n">model</span> <span class="p">)</span>
+ <span class="p">{</span>
+ <span class="n">this</span><span class="p">.</span><span class="n">model</span> <span class="p">=</span> <span class="n">model</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">)</span> <span class="p">{</span>
+ <span class="o">//</span> <span class="n">we</span> <span class="n">allow</span> <span class="n">any</span> <span class="n">action</span> <span class="n">on</span> <span class="n">a</span> <span class="n">graph</span><span class="p">.</span>
+ <span class="k">return</span> <span class="n">true</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="o">//</span> <span class="n">not</span> <span class="n">that</span> <span class="n">in</span> <span class="n">this</span> <span class="n">implementation</span> <span class="n">all</span> <span class="n">permission</span> <span class="n">checks</span> <span class="n">flow</span> <span class="n">through</span>
+ <span class="o">//</span> <span class="n">this</span> <span class="n">method</span><span class="p">.</span> <span class="n">We</span> <span class="n">can</span> <span class="n">do</span> <span class="n">this</span> <span class="n">because</span> <span class="n">we</span> <span class="n">have</span> <span class="n">a</span> <span class="n">simple</span> <span class="n">permissions</span>
+ <span class="o">//</span> <span class="n">requirement</span><span class="p">.</span> <span class="n">A</span> <span class="n">more</span> <span class="nb">complex</span> <span class="n">set</span> <span class="n">of</span> <span class="n">permissions</span> <span class="n">requirement</span> <span class="n">would</span>
+ <span class="o">//</span> <span class="n">require</span> <span class="n">a</span> <span class="n">different</span> <span class="n">strategy</span><span class="p">.</span>
+ <span class="n">private</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principalObj</span><span class="p">,</span> <span class="n">Resource</span> <span class="n">r</span> <span class="p">)</span>
+ <span class="p">{</span>
+ <span class="n">Principal</span> <span class="n">principal</span> <span class="p">=</span> <span class="p">(</span><span class="n">Principal</span><span class="p">)</span><span class="n">principalObj</span><span class="p">;</span>
+ <span class="o">//</span> <span class="n">we</span> <span class="n">do</span> <span class="n">not</span> <span class="n">allow</span> <span class="n">anonymous</span> <span class="p">(</span><span class="n">un</span><span class="o">-</span><span class="n">authenticated</span><span class="p">)</span> <span class="n">reads</span> <span class="n">of</span> <span class="n">data</span><span class="p">.</span>
+ <span class="o">//</span> <span class="n">Another</span> <span class="n">strategy</span> <span class="n">would</span> <span class="n">be</span> <span class="n">to</span> <span class="n">only</span> <span class="n">require</span> <span class="n">authentication</span> <span class="k">if</span> <span class="n">the</span>
+ <span class="o">//</span> <span class="n">data</span> <span class="n">being</span> <span class="n">requested</span> <span class="n">was</span> <span class="n">restricted</span> <span class="o">--</span> <span class="n">but</span> <span class="n">that</span> <span class="n">is</span> <span class="n">a</span> <span class="n">more</span> <span class="nb">complex</span>
+ <span class="o">//</span> <span class="n">process</span> <span class="n">and</span> <span class="n">not</span> <span class="n">suitable</span> <span class="k">for</span> <span class="n">this</span> <span class="n">simple</span> <span class="n">example</span><span class="p">.</span>
+ <span class="k">if</span> <span class="p">(</span><span class="n">principal</span> <span class="o">==</span> <span class="n">null</span><span class="p">)</span>
+ <span class="p">{</span>
+ <span class="n">throw</span> <span class="n">new</span> <span class="n">AuthenticationRequiredException</span><span class="p">();</span>
+ <span class="p">}</span>
+
+ <span class="o">//</span> <span class="n">a</span> <span class="n">message</span> <span class="n">is</span> <span class="n">only</span> <span class="n">available</span> <span class="n">to</span> <span class="n">sender</span> <span class="n">or</span> <span class="n">recipient</span>
+ <span class="k">if</span> <span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">hasProperty</span><span class="p">(</span> <span class="n">RDF</span><span class="p">.</span><span class="n">type</span><span class="p">,</span> <span class="n">msgType</span> <span class="p">))</span>
+ <span class="p">{</span>
+ <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="n">hasProperty</span><span class="p">(</span> <span class="n">pTo</span><span class="p">,</span> <span class="n">principal</span><span class="p">.</span><span class="n">getName</span><span class="p">()</span> <span class="p">)</span> <span class="o">||</span>
+ <span class="n">r</span><span class="p">.</span><span class="n">hasProperty</span><span class="p">(</span> <span class="n">pFrom</span><span class="p">,</span> <span class="n">principal</span><span class="p">.</span><span class="n">getName</span><span class="p">());</span>
+ <span class="p">}</span>
+ <span class="k">return</span> <span class="n">true</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="o">//</span> <span class="n">evaluate</span> <span class="n">a</span> <span class="n">node</span><span class="p">.</span>
+ <span class="n">private</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Node</span> <span class="n">node</span> <span class="p">)</span>
+ <span class="p">{</span>
+ <span class="k">if</span> <span class="p">(</span><span class="n">node</span><span class="p">.</span><span class="n">equals</span><span class="p">(</span> <span class="n">Node</span><span class="p">.</span><span class="n">ANY</span> <span class="p">))</span> <span class="p">{</span>
+ <span class="o">//</span> <span class="n">all</span> <span class="n">wildcards</span> <span class="n">are</span> <span class="n">false</span><span class="p">.</span> <span class="n">This</span> <span class="n">forces</span> <span class="n">each</span> <span class="n">triple</span>
+ <span class="o">//</span> <span class="n">to</span> <span class="n">be</span> <span class="n">explicitly</span> <span class="n">checked</span><span class="p">.</span>
+ <span class="k">return</span> <span class="n">false</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="o">//</span> <span class="k">if</span> <span class="n">the</span> <span class="n">node</span> <span class="n">is</span> <span class="n">a</span> <span class="n">URI</span> <span class="n">or</span> <span class="n">a</span> <span class="n">blank</span> <span class="n">node</span> <span class="n">evaluate</span> <span class="n">it</span> <span class="n">as</span> <span class="n">a</span> <span class="n">resource</span><span class="p">.</span>
+ <span class="k">if</span> <span class="p">(</span><span class="n">node</span><span class="p">.</span><span class="n">isURI</span><span class="p">()</span> <span class="o">||</span> <span class="n">node</span><span class="p">.</span><span class="n">isBlank</span><span class="p">())</span> <span class="p">{</span>
+ <span class="n">Resource</span> <span class="n">r</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">getRDFNode</span><span class="p">(</span> <span class="n">node</span> <span class="p">).</span><span class="n">asResource</span><span class="p">();</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">r</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="k">return</span> <span class="n">true</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="o">//</span> <span class="n">evaluate</span> <span class="n">the</span> <span class="n">triple</span> <span class="n">by</span> <span class="n">evaluating</span> <span class="n">the</span> <span class="n">subject</span><span class="p">,</span> <span class="n">predicate</span> <span class="n">and</span> <span class="n">object</span><span class="p">.</span>
+ <span class="n">private</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">triple</span> <span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span><span class="p">.</span><span class="n">getSubject</span><span class="p">())</span> <span class="o">&&</span>
+ <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span><span class="p">.</span><span class="n">getObject</span><span class="p">())</span> <span class="o">&&</span>
+ <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span><span class="p">.</span><span class="n">getPredicate</span><span class="p">());</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Action</span> <span class="n">action</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">triple</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">true</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluate</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span>
+ <span class="n">Triple</span> <span class="n">triple</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateAny</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">true</span><span class="p">;</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateAny</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Set</span><span class="o"><</span><span class="n">Action</span><span class="o">></span> <span class="n">actions</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span>
+ <span class="n">Triple</span> <span class="n">triple</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">triple</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">boolean</span> <span class="n">evaluateUpdate</span><span class="p">(</span><span class="n">Object</span> <span class="n">principal</span><span class="p">,</span> <span class="n">Node</span> <span class="n">graphIRI</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">from</span><span class="p">,</span> <span class="n">Triple</span> <span class="n">to</span><span class="p">)</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">from</span> <span class="p">)</span> <span class="o">&&</span> <span class="n">evaluate</span><span class="p">(</span> <span class="n">principal</span><span class="p">,</span> <span class="n">to</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="n">public</span> <span class="n">void</span> <span class="n">setPrincipal</span><span class="p">(</span> <span class="n">String</span> <span class="n">userName</span> <span class="p">)</span>
+ <span class="p">{</span>
+ <span class="k">if</span> <span class="p">(</span><span class="n">userName</span> <span class="o">==</span> <span class="n">null</span><span class="p">)</span>
+ <span class="p">{</span>
+ <span class="n">principal</span> <span class="p">=</span> <span class="n">null</span><span class="p">;</span>
+ <span class="p">}</span>
+ <span class="n">principal</span> <span class="p">=</span> <span class="n">new</span> <span class="n">BasicUserPrincipal</span><span class="p">(</span> <span class="n">userName</span> <span class="p">);</span>
+ <span class="p">}</span>
+
+ <span class="p">@</span><span class="n">Override</span>
+ <span class="n">public</span> <span class="n">Principal</span> <span class="n">getPrincipal</span><span class="p">()</span> <span class="p">{</span>
+ <span class="k">return</span> <span class="n">principal</span><span class="p">;</span>
+ <span class="p">}</span>
+
+<span class="p">}</span>
+</pre></div>
+ </div>
+</div>
+
+</div><!--/.container -->
+
+ <footer class="footer">
+ <div class="container">
+ <p>Copyright © 2011–2015 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ </p>
+ <p>
+ Apache Jena, Jena, the Apache Jena project logo,
+ Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </footer>
+
+
+</body>
+</html>