Discussion:
Fuseki 2 Shiro Authentication not working properly
Bischof, Stefan
2016-05-17 13:07:10 UTC
Permalink
Hi all,

I want to expose a SPARQL endpoint but only encrypted and authenticated. Encryption is currently handled by Apache httpd as a reverse proxy.

Authentication works only partly: I adapted shiro.ini as indicated by the comments (see below - username and pw changed of course).


1. Authentication works perfectly when I run SPARQL queries from the Fuseki web frontend:
https://host:port/dataset.html?tab=query&ds=%2Fds&query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25

2. Authentication is bypassed when I run SPARQL queries directly against the SPARQL endpoint exposed by fuseki:
https://host:port/ds/query?query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25

This leaves the triple store totally open if someone knows the URL of the SPARQL endpoint. Is this the intended behaviour?

Is there any other documentation apart from the config file and https://jena.apache.org/documentation/fuseki2/fuseki-security.html?

How can I enable authentication via shiro.ini for the SPARQL endpoint?

Or is Apache httpd authentication the best way to go?

Thanks!
Stefan

[main]
# Development
ssl.enabled = false

plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher

localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter

[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
#admin=pw
secretuser=secretpassword

[roles]

[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon

## and the rest are restricted to localhost.
#/$/** = localhostFilter

## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
## 2 - comment out the "/$/** = localhost" line and use:
/$/** = authcBasic,user[admin]"

## or to allow any access.
##/$/** = anon

# Everything else
/**=anon
Andy Seaborne
2016-05-17 13:26:46 UTC
Permalink
Post by Bischof, Stefan
Hi all,
I want to expose a SPARQL endpoint but only encrypted and authenticated. Encryption is currently handled by Apache httpd as a reverse proxy.
The normal way to use a reverse proxy is to force all traffic to go via
the proxy, and stop direct.

Block port 3030 to the outside world so that only the local machine can
talk to it.

(I was going to say "use AJP13" but apparently that is no longer
recommended for jetty).

You can start Fuseki to only respond to the local host network as well.
Post by Bischof, Stefan
Authentication works only partly: I adapted shiro.ini as indicated by the comments (see below - username and pw changed of course).
The comments are about exposing the UI to user/password ...
Post by Bischof, Stefan
https://host:port/dataset.html?tab=query&ds=%2Fds&query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
https://host:port/ds/query?query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
Put a rule for "/ds/query" in the [urls] section.

As you have it, it falls to "/**=anon"
Post by Bischof, Stefan
This leaves the triple store totally open if someone knows the URL of the SPARQL endpoint. Is this the intended behaviour?
Is there any other documentation apart from the config file and https://jena.apache.org/documentation/fuseki2/fuseki-security.html?
The Apache Shiro documentation.
Post by Bischof, Stefan
How can I enable authentication via shiro.ini for the SPARQL endpoint?
Or is Apache httpd authentication the best way to go?
If you are putting an reverse proxy in anyway, then it certainly is a
good option to consider. httpd has more choices

Andy
Post by Bischof, Stefan
Thanks!
Stefan
[main]
# Development
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
#admin=pw
secretuser=secretpassword
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
#/$/** = localhostFilter
## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
/$/** = authcBasic,user[admin]"
## or to allow any access.
##/$/** = anon
# Everything else
/**=anon
Loading...