W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: WebIDRealm

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 2 Jan 2012 14:40:40 +0100
Cc: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>
Message-Id: <3EAF5664-BBA3-4C10-AAB7-B90979AFC942@bblfish.net>
To: Jürgen Jakobitsch <j.jakobitsch@semantic-web.at>

On 2 Jan 2012, at 14:14, Jürgen Jakobitsch wrote:

> the URL of the WebIDTestServer is
> 
> ==>  http://webid.turnguard.com/WebIDTestServer
> 
> you'll find all relevant links there (in the menu)
> 
> wkr http://www.turnguard.com/turnguard

great! That works :-)

I really like the background picture, and the site looks very nice. It is starting to have the feel of fun site.
It's nice that it shows my picture! That makes me feel like you recognised me, and we have a real contact going. (You are currently only using my last name)

And yes, logout in Firefox also works! nice.

And I see that you use the pattern of having part of the web site behind http and other parts behind https, to avoid the certificate request from the client on initiation.

One minus points I think you are aware of, is that it shows my WebID visibly.
 
   It should show my CN taken from the X509 DN, or the name taken from the foaf at the top, so that we can silence the people who confuse URIs with labels, i.e. people who keep arguing that <a href="http://bblfish.net/people/henry/card#me>Henry Story</a> is difficult for people to use - as if the web were not full of links on every page that nobody ever bothers about. 
  => Mhhh, come to think of it, I would even say that for the login/logout button you *SHOULD* use the CN from the cert, because that is what people see when they select their identity in their browser. This then helps people tie the action in the browser to the space on the web page. After all the person could have a number of names in the foaf, and if you choose one of them, the link between the web browser action and the web page won't be clear. 

 It is amazing how much people FUD people build out of this this confusion.

Henry

  

> [snip]
> On 2 Jan 2012, at 13:47, Jürgen Jakobitsch wrote:
> 
>> hi,
>> 
>> i have updated tomcat's WebIDRealm to the latest spec
>> and set up a test server [1].
>> 
>> there are two links on this server for testing :
>> 
>> 1. "OnlyWithCert"
>>  requires the user to be in role <http://data.turnguard.com/webid/2.0/Void>
>>  since every presenter of a certificate is added to this reserved role, everybody
>>  with a parseable webIDClaim should be able to see this page (some data from your profile will be displayed)
>> 2. "OnlyWithCert and Role X"
>>  requires the user to be in role <http://data.turnguard.com/webid/2.0/RoleX>.
>>  You should get an access denied.
>> 
>> 
>> - please note that this is now beta (at best) and any pointer, question, comment or wish is really welcome.
>> - please also note that rdfa support will follow sometimes this week.
>> 
>> 
>> the WebIDRealm now
>> 
>> 1. is fully SailAPI compatible [2]
>>  with a simple jndi factory it is possible to use any data-store that has a SailImplementation.
>>  note : the test server uses a simple file that is imported to an OpenRDF MemoryStore.
>>  note : the SailRepository is used to lookup roles needed to check tomcat's security constraints in the first place. (see below)
>> 2. supports different modes
>>  since there is a SailRepository at hand it is now also possible to lookup webIDClaims in that repository.
>>  2.1. DEREFERENCE_ONLY
>>       Tries to dereference the WebIDURI over http
>>  2.2. DEREFERENCE_NO
>>       Only looks up the WebIDURI in the given SailRepository, making it also possible to use any uri as a WebIDClaim (mailto:.., URNs)
>>       This could be usefull in case someone wants to use WebID only "internally" without having to publish all its user profiles
>>       (we want nsa and cia to use it also, right?)

:-) I think companies should be interested yes, though I am not sure how high we are on the radar screen of those two organisations, nor how good that necessarily is were we to be ;-) 

>>  2.3. DEREFERENCE_FIRST, DEREFERENCE_LAST
>>       first try to dereference and then look into the SailRepository or the other way round.

DEREFERENCE_LAST is probably the most efficient.

>> 3. way less interwoven with apache's tomcat (catalina) api.
>>  i'm trying to make the Realm fully compatible with major servlet containers during the next couple of weeks.

Oh that's very good.

>> 4. capable to bringing important debug information to the user.
>>  The only way to get more information to the enduser is to create a (Dummy)Principal when something fails during
>>  the authentication process. The actual exception is translated to rdf and added to the (Dummy)Principals data,
>>  making it possible to give the user usefull information why the login didn't work.
>>  it is best to try this by
>>  - making your rdf improper (add a slash where no slash belongs and try to login)
>>  - remove your cert:key from you profile (and try to log in)
>>  - alter the exponent and modulus
>>  - remove the exponent or the modulus
>>  - try it with an expired certificate
>>  - try it with a certificate that is not yet valid
>>  - try it with certificate with a webID that is not dereferencable.
>>  it is also now possible to construct the webID testcases from these exceptions (which will be done soon)
>>  ...
>> 
>> wkr http://www.turnguard.com/turnguard

Ok, for this you should also get in contact with Bergi, and see how you can work with his test suite.
I think he has not been working on it recently because we have not been giving him feedback.

Henry

>> 
>> 
>> [1] http://webid.turnguard.com/WebIDTestServer
>> [2] http://openrdf.org
>> 
>> 
>> 
>> --
>> | Jürgen Jakobitsch,
>> | Software Developer
>> | Semantic Web Company GmbH
>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>> | A - 1070 Wien, Austria
>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>> 
>> COMPANY INFORMATION
>> | http://www.semantic-web.at/
>> 
>> PERSONAL INFORMATION
>> | web   : http://www.turnguard.com
>> | foaf  : http://www.turnguard.com/turnguard
>> | skype : jakobitsch-punkt
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
> 
> COMPANY INFORMATION
> | http://www.semantic-web.at/
> 
> PERSONAL INFORMATION
> | web   : http://www.turnguard.com
> | foaf  : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
> 
> 
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
> 
> COMPANY INFORMATION
> | http://www.semantic-web.at/
> 
> PERSONAL INFORMATION
> | web   : http://www.turnguard.com
> | foaf  : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt

Social Web Architect
http://bblfish.net/
Received on Monday, 2 January 2012 13:41:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 2 January 2012 13:41:17 GMT