[WAC] regexps in WebAccessControl

At the end of yesterday's WebID teleconf [1] I asked TimBL where we could 
discuss the Web Access Control Ontology [2] - given that Tim controls the 
ontology it is of course useful to know where we can discuss bugs and 
improvements. So it was agreed that the Read-Write-Web community group
is a good place to do this in addition to the wiki page. So here I go.

Use Cases 
=========

I have 3 use cases for the addition of a regular expression vocabulary
to WACL which can be divided into 2 categories:

1. regex on resources
---------------------
 
  It is often useful to be able to specify that all resources in a 
collection ( a directory ) or a whole namespace (say all resources
under /user/jack/.* have read-write-execute access by joe .
( Of course it is the resource itself that specifies which ACLs it is
bound to, via the 

    Link: <meta/profile.meta>; rel=meta

http header so that in the end this can be overridden for an individual
Resource )

2. regex on agent classes
-------------------------

2.1 subsets of WebIDs

  It is also useful to be able to specify groups of users in general this
  way, so for example one may want to specify that all employees of Oracle
  have read access to a resource by doing a regexpression on WebIDs. Perhaps
  like this https://oracle.com/ppl/[^/]*

2.2 All WebIDs

  For WebID testing it would be useful to have the group of all people
  who have authenticated with a WebID. The wiki has it as a discussion point
  to have a class wac:WebIDAgent [4] but I think regexpressions solve this 
  much better, since it does not require all verification code to have a special
  case for WebID Authenticated agents:
  One could simple do this using the regression
    http[s]?://.*
  

Experimentation
===============

I think POWDER should be the correct way of writing these regexpressions,
but I have started experimenting by just using java regular expressions 
myself ( since I am writing code in Scala ).

1. regex on resources
--------------------

  This seems to work very nicely. I have a few test cases to try this 
out on rww-Play [5], that work nicely:

   []  wac:accessToClass [ wac:regex "http://joe.example/blog/.*" ];
       wac:agentClass foaf:Agent;
       wac:mode wac:Read .

   This seems reasonable. The code is not that long either [6] to implement
this. But one should use powder.

2. regex on agent classes
-------------------------

To test a WebID authentication endpoint the Access Control rule could
be:

     []  wac:accessTo <https://some.company/webidTest>;
       wac:agentClass [ wac:regex "http[s]?://.*" ];
       wac:mode wac:Read .

This would allow us to create robots to test the WebID over TLS 
Authentication protocol. 

So for example for a company to define quickly all its employees
without giving out names it could do the following allowing members
of the read access to all the company profiles:

     []  wac:accessToClass [ wac:regex <https://people.some.company/.*> ];
       wac:agentClass [ wac:regex "https://people.some.company/[^/]+" ];
       wac:mode wac:Read .


Todo:
====

1. Does this make sense? 
2. Is the modelling ok?
3. is POWDER the right ontology to use?
   ( how well does it work with java regexs? )



[1] http://www.w3.org/2012/11/16-webid-minutes.html
[2] http://www.w3.org/wiki/WebAccessControl
[3] http://www.w3.org/2001/sw/wiki/POWDER
[4] http://www.w3.org/wiki/WebAccessControl#Public_Access
[5] https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L105
[6] https://github.com/read-write-web/rww-play/blob/master/app/org/www/play/auth/WebACL.scala#L100

Social Web Architect
http://bblfish.net/

Received on Saturday, 17 November 2012 14:35:30 UTC