- From: Henry Story <henry.story@bblfish.net>
- Date: Sat, 17 Nov 2012 15:34:57 +0100
- To: Read-Write-Web <public-rww@w3.org>
- Message-Id: <91D77204-9932-4B0C-8E33-25089162F1A2@bblfish.net>
At the end of yesterday's WebID teleconf [1] I asked TimBL where we could discuss the Web Access Control Ontology [2] - given that Tim controls the ontology it is of course useful to know where we can discuss bugs and improvements. So it was agreed that the Read-Write-Web community group is a good place to do this in addition to the wiki page. So here I go. Use Cases ========= I have 3 use cases for the addition of a regular expression vocabulary to WACL which can be divided into 2 categories: 1. regex on resources --------------------- It is often useful to be able to specify that all resources in a collection ( a directory ) or a whole namespace (say all resources under /user/jack/.* have read-write-execute access by joe . ( Of course it is the resource itself that specifies which ACLs it is bound to, via the Link: <meta/profile.meta>; rel=meta http header so that in the end this can be overridden for an individual Resource ) 2. regex on agent classes ------------------------- 2.1 subsets of WebIDs It is also useful to be able to specify groups of users in general this way, so for example one may want to specify that all employees of Oracle have read access to a resource by doing a regexpression on WebIDs. Perhaps like this https://oracle.com/ppl/[^/]* 2.2 All WebIDs For WebID testing it would be useful to have the group of all people who have authenticated with a WebID. The wiki has it as a discussion point to have a class wac:WebIDAgent [4] but I think regexpressions solve this much better, since it does not require all verification code to have a special case for WebID Authenticated agents: One could simple do this using the regression http[s]?://.* Experimentation =============== I think POWDER should be the correct way of writing these regexpressions, but I have started experimenting by just using java regular expressions myself ( since I am writing code in Scala ). 1. regex on resources -------------------- This seems to work very nicely. I have a few test cases to try this out on rww-Play [5], that work nicely: [] wac:accessToClass [ wac:regex "http://joe.example/blog/.*" ]; wac:agentClass foaf:Agent; wac:mode wac:Read . This seems reasonable. The code is not that long either [6] to implement this. But one should use powder. 2. regex on agent classes ------------------------- To test a WebID authentication endpoint the Access Control rule could be: [] wac:accessTo <https://some.company/webidTest>; wac:agentClass [ wac:regex "http[s]?://.*" ]; wac:mode wac:Read . This would allow us to create robots to test the WebID over TLS Authentication protocol. So for example for a company to define quickly all its employees without giving out names it could do the following allowing members of the read access to all the company profiles: [] wac:accessToClass [ wac:regex <https://people.some.company/.*> ]; wac:agentClass [ wac:regex "https://people.some.company/[^/]+" ]; wac:mode wac:Read . Todo: ==== 1. Does this make sense? 2. Is the modelling ok? 3. is POWDER the right ontology to use? ( how well does it work with java regexs? ) [1] http://www.w3.org/2012/11/16-webid-minutes.html [2] http://www.w3.org/wiki/WebAccessControl [3] http://www.w3.org/2001/sw/wiki/POWDER [4] http://www.w3.org/wiki/WebAccessControl#Public_Access [5] https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L105 [6] https://github.com/read-write-web/rww-play/blob/master/app/org/www/play/auth/WebACL.scala#L100 Social Web Architect http://bblfish.net/
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Saturday, 17 November 2012 14:35:30 UTC