- From: Jürgen Jakobitsch <j.jakobitsch@semantic-web.at>
- Date: Mon, 07 Nov 2011 21:47:19 +0100 (CET)
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
hi henry, thanks for your valuable input!
please find my answers below inline
wkr http://www.turnguard.com/turnguard
----- Original Message -----
From: "Henry Story" <henry.story@bblfish.net>
To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
Cc: "WebID Incubator Group WG" <public-xg-webid@w3.org>, "Andreas Blumauer" <a.blumauer@semantic-web.at>, "Helmut Nagy" <h.nagy@semantic-web.at>
Sent: Monday, November 7, 2011 6:23:31 PM
Subject: WebID enabled PoolParty - was: ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
Ok,
So I just logged in (or I think I did) with WebID to your Pool Party
https://pilot5.poolparty.biz:8443/PoolParty/index.jsp
I know you told me this, but it's important for others who want to try it out: Chrome does not work currently. One needs Firefox for this.
JJ : very true, is mainly tested on firefox.
So really it is very difficult to use your service because I have no idea when or if I am logged in. You need:
- a test page where I can try out your login, and you can tell me if I fail to authenticate or not
JJ : 1. you are seeing the application, because it simply works in your case. you can try login with a dummy certificate (create yourself one
using fcns for a => non existent <= webID and try to log in using this certificate. you'll see a page saying something along the lines
"Cannot authenticate with the provided credentials".
2. you can also try to access the following page, which requires the role of a PoolPartyAdmin with your user
(https://pilot5.poolparty.biz:8443/PoolParty/templates/dialogs/admin/users/UserAdminAvailableUsers.jsp). you should see
a page along the lines "403 - Access to the requested resource has been denied"
- at the minimum something that say "Hello bblfish" or "Hello Henry Story" or something of that nature. Many plus points for extracting the image from my foaf.
JJ : i added a "logged in as http://...." (logout) link in the right part of the menu (i'm going for the depiction-candy next time)
Without that we cannot make any claim to have something that is easier to use than OpenId, OAuth or any of the other protocols.
As far as the documentation goes the link you gave me seems to be password protected
https://grips.punkt.at/display/POOLDOKU/PoolParty+-+Quick+Start+Guide
JJ : i'm have to check with our confluence-admin (should be available for you soon)
One thing that I do think is *very_cool* is your technical discovery, pointed out today in the telconf that
you can use the web.xml file to turn authentication on or off per resource. Web.xml is a standard way to set servlets.
As you said during the telconf
[[
the tomcat-webID realm is exactly analogue to tomcat-memory-userdatabase-realm,
see here http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
tomcat webID realm source code : https://sourceforge.net/p/webidrealm/code/
]]
<web-resource-collection>
<web-resource-name>PoolParty</web-resource-name>
<description/>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<description/>
<role-name>http://turnguard.com/webid/poolparty/PoolPartyUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description/>
<role-name>http://turnguard.com/webid/poolparty/PoolPartyAdmin</role-name>
</security-role>
<security-role>
<description/>
<role-name>http://turnguard.com/webid/poolparty/PoolPartyUser</role-name>
</security-role>
Is there a URL I can see that with? Like a URL where I can see something on PoolParty where I don't get my certificate requested, and one were I do?
JJ : 1. web.xml is locked away from external access, and can only be viewed by logging in via ssh.
2. currently only the index.html page is not protected. remember we are building an application and not a webpage, so there's not much
interaction without logging in - all other info about the application is on a totally different domain.
I had a quick look at your code. Where is the WebID Authentication taking place?
JJ : authentication with tomcat-webID-realm works as follows :
1. when ssl is active, the SSLAuthenticationValve [1] is automaticall invoked for every request
2. the sslAuthenticator retrieves the current Context's realm to do the authentication
(look for "context.getRealm().authenticate(certs)" in SSLAuthenticator.java
3. now context.getRealm() return my WebIDRealm [2], which extends RealmBase [3]
4. now context.getRealm().authenticate(certs) calls "authenticate(X509Certificate certs[])" (line 414) of RealmBase [3]
5. RealmBase in it's authenticate(certs) method returns getPrincipal(certs[0]) and
6. i implemented getPrincipal(X509Certificate usercert) in my WebIDRealm [2] in line 50.
[1] http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/SSLAuthenticator.java.htm
[2] http://sourceforge.net/p/webidrealm/code/13/tree/trunk/src/main/java/com/turnguard/advanced/tomcat/webid/realm/WebIDUserDatabaseRealm.java
[3] http://www.docjar.com/html/api/org/apache/catalina/realm/RealmBase.java.html
thanks again, hope that helps, i'll let you know, when docu is available
wkr www.turnguard.com/turnguard
Henry
On 2 Nov 2011, at 11:38, Jürgen Jakobitsch wrote:
>
> Herny :
>
> ACTION-48 todos : ...set some goals for what should be up there
>
> JJ : my suggestion for the content of the thesaurus would be :
>
> 1. the terms that are already in the spec [4]
> 2. authentication terms in generall. when starting with webID and authentication in generall it would be (super)-great to have
> an authority which tells me what all these terms are (TLS, SSL, Authentication, Access Control, ACL, Handshake, PublicKey, PrivateKey, Modulus,
> Identity, OpenID, BrowserID)
> 3. put all these terms in a context, so people know to which broader concept a certain term belongs to.
> (an example from dbpedia : http://dbpedia.org/page/Category:Secure_Shell => broader => http://dbpedia.org/page/Category:Cryptographic_protocols => broader => http://dbpedia.org/page/Category:Cryptography)
> 4. link to lod-resources on the web using our lookup-plugins. see an example of a resource (skos:Concept) which i linked to different
> lod (and non-lod) source here [5]
>
> the endeffect would be that people can browse the thesaurus and have one single source of information on the area of authentication.
>
>
> Other poolparty things to consider
>
> JJ :
>
> poolparty usage :
>
> 1. i created a project here [5] with the name of "Playground" where you can try out things create dummy concepts
> and edit labels as you like without destroying something. to open the project : login using webID,
> choose from the menu : PROJECT => Load Project => Playground
> 2. here you'll find documentation on how to use poolparty
> 1. quick start : https://grips.punkt.at/display/POOLDOKU/PoolParty+-+Quick+Start+Guide
I need to login to a site here that asks me for a password.
> 2. create a ConceptScheme : https://grips.punkt.at/display/POOLDOKU/Create+the+Concept+Schemes+for+your+Project
> 3. create a TopConcept : https://grips.punkt.at/display/POOLDOKU/Create+Top+Concepts+for+your+Project
> 4. create a Concept : https://grips.punkt.at/display/POOLDOKU/Create+Concepts+for+your+Project
> 3. please use PROJECT => Logout to activly log out
> 4. If something goes wrong or doesn't react (nothing happens) please refresh the page.
> 5. please note : export the project when you make changes (there's a sophisticated backup mechanism, but the devil
> doesn't sleep)
> 6. when logged in, you find information about yourself by choosing : ABOUT POOLPARTY => Userinfo from the menu
>
> poolparty project concept uri pattern :
>
> 1. as mentioned previously we would need to agree on a uri pattern. the possible poolparty uri patterns look like this
> http://{subdomain.domain | domain}/{projectName}/{uuid | encoded(prefLabel) }. so i'm looking forward to another
> happy pattern-polling. i'd suggest as a starter
>
> - http://terms.webid.info/glossary (concept uri example : http://terms.webid.info/glossary/webid)
> - http://glossary.webid.info/webid (concept uri example : http://glossary.webid.info/webid/tls)
> - http://terms.webid.info/Authentication (concept uri example : http://terms.webid.info/Authentication/ssl)
> - http://vocab.webid.info/Authentication (concept uri example : http://vocab.webid.info/Authentication/Handshake)
>
> workflow of creating the thesaurus :
>
> we here also have a couple of opportunities :
>
> 1. we can collaborate in doing so (please note that there's also a log which logs new concepts, deletions of concepts
> and concept merges [8].
> 2. i know that this is additional effort to come to terms with poolparty itself, so if don't have time for this
> i offer that i do create concepts if someone asks me to.
>
> Kingsley : Are you adding them to the user database or a group to which ACLs are applied?
>
> JJ : There are no ACLs on a triple or graph basis or the like. I programmed an analogy of a tomcat-realm [7]
> for use with webIDs, so that it's possible to secure webapps or single jsp on an url-based pattern.
> you can try this url [6] which only PoolPartyAdmins are allowed to access.
>
> if you :
>
> 1. have a problem logging into PoolParty here [5]
> 2. want to be granted access
> 3. have a problem creating a resource
> 4. have a problem linking a resource
> 5. suggestions | questions concerning the thesaurus
> 6. suggestions concerning improvements of the pp server
> 7. any other thing concerning this topic
>
> feel free to contact me via the mailing list, via skype (see below in my mail signatur), or pm
>
> next steps :
>
> for groups members :
>
> 1. try to log in.
> 2. try to add some concepts in Playground project
> 3. important : decide on a concept uri pattern
>
> please don't hesitate to bombard me with any question or suggestion.
>
> p.s.: concerning the earl-tests : i'm currently still very busy and unfortunately could do it untill now, i'm on holiday
> from next week until the end of november, so realistically i'm able to implement the test suite by december.
>
> wkr http://www.turnguard.com/turnguard
>
> [1] http://poolparty.biz/
> [2] http://www.w3.org/2005/Incubator/webid/team#we
> [3] http://www.w3.org/RDF/Validator/
> [4] http://www.w3.org/2005/Incubator/webid/spec/#terminology
> [5] http://pilot5.poolparty.biz/WebID/OpenID.html
> [6] https://pilot5.poolparty.biz:8443/PoolParty/templates/dialogs/admin/users/UserAdminAvailableUsers.jsp
> [7] http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
> [8] https://grips.punkt.at/display/POOLDOKU/Logging+Information+for+a+Project
>
>
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
>
>
>
>
> ----- Original Message -----
> From: "Henry Story" <henry.story@bblfish.net>
> To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
> Cc: "WebID Incubator Group WG" <public-xg-webid@w3.org>
> Sent: Thursday, October 20, 2011 10:37:05 AM
> Subject: Re: close ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
>
> Hi Jurgen.
>
> thanks for your reply. Since you are very interested in the thesaurus project, we won't close the issue but just put you in charge of it. I like the idea of having it up as a wiki where members of this group can login with their webid and edit it. I think that would be a nice little use case too.
>
> I can see the following todos then:
>
> -1 have a server which we can use and login and members of the team can update the ontology
> -2 set some goals for what should be up there (I am not a thesaurus specialist, so I don't really know what we should be trying to do here)
>
> I have added that here
>
> ACTION-48: Jürgen Jakobitsch to put up thesaurus wiki available to team
>
> To report back in a couple of weeks. You don't seem to be an official member of the XG - if you want just ask for it - so I put it down as an action for me. But I can add you to the team for sure. Just send me your webid.
>
> If possible it would be really nice if you could have your endpoint generate the EARL as described here
>
> http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite
>
> so that we can help you debug your implementation, and so that we can write a report on what is supported in the community. This can then be very useful in helping us provide guidelines for what formats people should support when deploying webid profiles, and for adding elements to the spec in a way guided by deployments.
>
> Henry
>
>
> On 20 Oct 2011, at 09:45, Jürgen Jakobitsch wrote:
>
>> hi all,
>>
>> ... --- ... (save our skos)
>>
>> as you know, we have set up a poolparty demo server [1] to which one can log on using webID.
>> this server can be used to easily create a skos thesaurus.
>> i could add all members of webID#we [2] to the user database to grant them access and
>> support every single one in creating concepts.
>>
>> i'm convinced from the bottom of my heart that creating a thesaurus is always an extremly good idea.
>> keep in mind : you all know the terms and conditions relating to the webID topic, but many who
>> are in decision-position or simply interested do not, a thesaurus would certainly help.
>>
>> besides that i would consider creating and publishing a thesaurus simply a matter of principle and good linked manners...
>>
>> some words on the possible settings for a thesaurus created with poolparty :
>> 1. every baseURL can be used to create linked data (i.e.: http://vocab.webid.info)
>> 2. concept URIs are following this pattern : {baseURL}/{projectName}/{prefLabel}
>> some samples of concept uris that are possible:
>> vocab.webid.info/terms/conceptX
>> glossary.webid.info/webid/conceptX
>> ...
>> the sub-domain should be point to our server so the concepts are really linked.
>> anyway the thesaurus could also be exported on a regular basis and hosted elsewhere.
>>
>> 3. with poolparty there's the possibility to link the concept to other resources using lookups.
>> (of interest would be besides standard lookups like dbpedia, sindice, freebase and LCSH for example
>> an experimental google-patent lookup or an epo (european patent office) [3] lookup.
>>
>>
>> there are then a couple of possibilities to fill the thesaurus :
>>
>> 1. one of members of [2] gets the task and gets an introduction to use poolparty from me
>> 2. there's a community effort, we then could do a telco where everybody is informed how to use the thesaurus
>> 3. i could also personally do it, in case others don't want or don't have the time to (i'd be happy to do so).
>>
>> meanwhile you can find an example of a webID-thesaurus-sample i did, when setting up the server here [4]
>>
>> please note that there are of course many other ways to create a thesaurus and this is only a suggestion.
>>
>> wkr http://www.turnguard.com/turnguard
>>
>> [1] pilot5.poolparty.biz/PoolParty
>> [2] www.w3.org/2005/Incubator/webid/team#we
>> [3] www.epo.org
>> [4] http://pilot5.poolparty.biz/WebID/Authentication
>>
>> ----- Original Message -----
>> From: "Henry Story" <henry.story@bblfish.net>
>> To: "WebID Incubator Group WG" <public-xg-webid@w3.org>
>> Sent: Thursday, October 20, 2011 12:40:54 AM
>> Subject: close ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
>>
>> It turns out that not much has happened in this respect on the wiki here:
>>
>> http://www.w3.org/2005/Incubator/webid/wiki/Terminology
>>
>> There is a terminology section in the spec in any case
>>
>> http://www.w3.org/2005/Incubator/webid/spec/#terminology
>>
>> Are there terms that need to be added to the spec?
>>
>> Henry
>>
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>>
>>
>> --
>> | Jürgen Jakobitsch,
>> | Software Developer
>> | Semantic Web Company GmbH
>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>> | A - 1070 Wien, Austria
>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>
>> COMPANY INFORMATION
>> | http://www.semantic-web.at/
>>
>> PERSONAL INFORMATION
>> | web : http://www.turnguard.com
>> | foaf : http://www.turnguard.com/turnguard
>> | skype : jakobitsch-punkt
>
> Social Web Architect
> http://bblfish.net/
>
>
>
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>
> COMPANY INFORMATION
> | http://www.semantic-web.at/
>
> PERSONAL INFORMATION
> | web : http://www.turnguard.com
> | foaf : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt
>
Social Web Architect
http://bblfish.net/
--
| Jürgen Jakobitsch,
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
COMPANY INFORMATION
| http://www.semantic-web.at/
PERSONAL INFORMATION
| web : http://www.turnguard.com
| foaf : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt
Received on Monday, 7 November 2011 20:48:19 UTC