W3C home > Mailing lists > Public > semantic-web@w3.org > September 2008

Re: SPARQL Security - Best Practices?

From: Damian Steer <pldms@mac.com>
Date: Tue, 02 Sep 2008 23:24:53 +0100
Cc: Semantic Web at W3C <semantic-web@w3.org>
Message-id: <D6E933E7-EBA0-4F24-B110-5BA383E8146E@mac.com>
To: Richard Newman <rnewman@twinql.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 2 Sep 2008, at 22:15, Richard Newman wrote:

> One issue I have encountered in the past is that a query like
>
>  SELECT * {
>    GRAPH ?g {
>      ?s foo:bar ?baz ;
>         zob:zab ?bing .
>    }
>    FILTER (allowed(?g))
>  }
>
> will only return answers where *both* triple patterns match in the  
> same permitted graph.

That seems fairly obvious to me, but you're right that the named graph  
store + access control I mentioned looks like a triple store but  
really isn't because of this case. For our use case it doesn't matter,  
happily.

>
>  SELECT *
>  FROM <allowed-1>
>  FROM <allowed-2>
>  ...
>  WHERE {
>    ?s foo:bar ?baz ;
>       zob:zab ?bing .
>  }
>
> but that means the query is specific to the user (or you have to use  
> out-of-band dataset selection).

This is one of the reasons we aren't FILTERing graphs in the query.  
Probably a premature optimisation, but they make life more rewarding.

> A couple of years ago I was working on a system that very heavily  
> used very complex access control. My ultimate conclusion was that  
> standard SPARQL was not very well suited to this kind of thing.  
> That's an interesting conclusion for a SPARQL implementor to draw,  
> but there you are :)

Are any query languages suited to this?

Damian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAki9vTUACgkQAyLCB+mTtyk4kQCg+1jFG7R85sLcMuCnfCczPvvi
dwYAnAuB/odovRgK/8zZAfZSEta9dft6
=rcGm
-----END PGP SIGNATURE-----
Received on Tuesday, 2 September 2008 22:25:45 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 21:45:25 GMT