- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Fri, 09 Aug 2013 13:34:35 -0400
- To: public-lod@w3.org
- Message-ID: <5205282B.30009@openlinksw.com>
On 8/9/13 12:55 PM, Hugh Glaser wrote: > Thanks. > I've looked at quite a bit of this stuff, but still don't see where the ACL document gets stored and used. As per my setup [1] the ACLs reside in a document. Of course, they can also reside inside a DBMS/store e.g., in a named graph. > > I am beginning to get the sense that I may have to write some code, other than the ACL rdf to do this. Depends. The issue here is that ACL lookups are an additional step in the flow when applying WebID+TLS to actual resource access. What sometimes gets lost in conflation, is the fact that we have: 1. identity authentication 2. resource access control . Your identity might be verified (via authentication) but said identity isn't necessarily authorized to access a protected resource. If an ACL delegation mechanism existed, you could negate writing any code since a trusted 3rd party service could lookup ACLs (wherever you've placed them) and then apply that to the authorization process. > Surely Apache or something else will do this for me? Possibly, but you will have to plug-in an ACL module (basically something that performs SPARQL ASK, for instance) or write one yourself. > Can't I "just" put the ACL in a file (as in htpasswd) and point something at it? Hmm.. I don't use Apache that deeply, but I would expect that to be possible, bearing in mind the existence of WebID+TLS modules [2]. > I certainly don't want to be writing code to make one photo (or simply a static web site) available. > Or is that the "delegated service" you are talking about? Yes, another example of the flexibility that WebID+TLS brings to Read-Write Linked Data. > > I've got my fingers crossed here. We'll have that implemented when we get an opening. Of course other WebID and RWW players can implement the same thing too :-) Links: [1] http://kingsley.idehen.net/DAV/home/kidehen/Public/Linked%20Data%20Documents/WebID-ACL-Demos/ -- all the files are public readable (i.e., +r ) [2] http://packages.debian.org/testing/httpd/libapache2-mod-authn-webid -- Debian WebID+TLS module for Apache [3] https://apps.ubuntu.com/cat/applications/raring/libapache2-mod-authn-webid/ -- for Ubuntu [4] http://dig.csail.mit.edu/2009/mod_authn_webid/ -- from CSAIL team at MIT (I've copied Joe in as he might be able to help re. extension for ACLs) [5] http://dig.csail.mit.edu/2009/mod_authz_webid/README -- ** this might be what you need re. Apache ** . Kingsley > > On 9 Aug 2013, at 17:35, Kingsley Idehen <kidehen@openlinksw.com> > wrote: > >> On 8/9/13 12:22 PM, Hugh Glaser wrote: >>> <Hugh comes back to play /> >>> Thanks Kingsley, and Melvin and Henry and Norman. >>> So, trying to cut it down to the minimum. >>> (Sorry, I find some/many of the pages about it really hard going.) >>> If I have a photo on a server, http://example.org/photos/me.jpg, and a WebID at http://example.org/id/you >>> What files do I need on the server so that http://example.org/id/you#me (and no-one else) can access http://example.org/photos/me.jpg? >>> I think that is a sensible question (hopefully!) >> You can need a Turtle document (other RDF document types will do too) comprised of content that describes your ACL based on <http://www.w3.org/ns/auth/acl> vocabulary terms. >> >> You might find <http://www.w3.org/wiki/WebAccessControl#this> wiki document useful too. >> >> My ACL demos leverage the fact that our ODS and Virtuoso platforms have this in-built re. Web Server functionality. >> >> I need to check if we built a delegated service for WebID+TLS based ACLs, if not, then (note to self re., new feature zilla) we'll make one :-) >> >> > > > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 9 August 2013 17:34:58 UTC