Bischof, Stefan
2016-05-17 13:07:10 UTC
Hi all,
I want to expose a SPARQL endpoint but only encrypted and authenticated. Encryption is currently handled by Apache httpd as a reverse proxy.
Authentication works only partly: I adapted shiro.ini as indicated by the comments (see below - username and pw changed of course).
1. Authentication works perfectly when I run SPARQL queries from the Fuseki web frontend:
https://host:port/dataset.html?tab=query&ds=%2Fds&query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
2. Authentication is bypassed when I run SPARQL queries directly against the SPARQL endpoint exposed by fuseki:
https://host:port/ds/query?query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
This leaves the triple store totally open if someone knows the URL of the SPARQL endpoint. Is this the intended behaviour?
Is there any other documentation apart from the config file and https://jena.apache.org/documentation/fuseki2/fuseki-security.html?
How can I enable authentication via shiro.ini for the SPARQL endpoint?
Or is Apache httpd authentication the best way to go?
Thanks!
Stefan
[main]
# Development
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
#admin=pw
secretuser=secretpassword
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
#/$/** = localhostFilter
## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
## 2 - comment out the "/$/** = localhost" line and use:
/$/** = authcBasic,user[admin]"
## or to allow any access.
##/$/** = anon
# Everything else
/**=anon
I want to expose a SPARQL endpoint but only encrypted and authenticated. Encryption is currently handled by Apache httpd as a reverse proxy.
Authentication works only partly: I adapted shiro.ini as indicated by the comments (see below - username and pw changed of course).
1. Authentication works perfectly when I run SPARQL queries from the Fuseki web frontend:
https://host:port/dataset.html?tab=query&ds=%2Fds&query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
2. Authentication is bypassed when I run SPARQL queries directly against the SPARQL endpoint exposed by fuseki:
https://host:port/ds/query?query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
This leaves the triple store totally open if someone knows the URL of the SPARQL endpoint. Is this the intended behaviour?
Is there any other documentation apart from the config file and https://jena.apache.org/documentation/fuseki2/fuseki-security.html?
How can I enable authentication via shiro.ini for the SPARQL endpoint?
Or is Apache httpd authentication the best way to go?
Thanks!
Stefan
[main]
# Development
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
#admin=pw
secretuser=secretpassword
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
#/$/** = localhostFilter
## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
## 2 - comment out the "/$/** = localhost" line and use:
/$/** = authcBasic,user[admin]"
## or to allow any access.
##/$/** = anon
# Everything else
/**=anon