Re: WebID enabled PoolParty - was: ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture

hi henry, 

1. thanks for the pointer with the logged in URI. 

i was so concerned with the style that i forget to un-hardcode the user-uri, should work now.

2. concerning the test-webID page.

i'm not going to use the PoolParty server for stuff like that. but i'm going to provide
an own server just for this purpose where i install tomcatWebIDRealm and protect some
pages and also have a page outputting the EARL test results.

3. URL protection

there's only the index.html file @ http://pilot5.poolparty.biz/PoolParty/index.html which is viewable 
without providing a certificate. again, this is a special use-case since it is an application written
to be used in a browser and not a webpage for everone to be used and viewed.
if you want to know more about poolparty, everything is available at a totally different url and
has nothing to do with the WebID protected PoolPartyServer

4. SPARQL in auth

yes, i could as well do it with a SPARQL query and would also know how to do that. anyway i don't consider
it complicated to use Collections of statements.

5. for the JENA stuff

you (or who ever is interested) could write the exact same thing as the UserDatabase based on JENA of course.
the rest would work exactly the same. the WebIDUserdatabase is defined as a JNDI resource and simply looked up,
so it is very possible to do the whole thing with JENA.

for future release i'm planning to have an generic sail implementation of the WebIDUserdatabase (the current
one is tailored to use one single rdf-file) with which it would be possible to have for example a whole virtuoso
server as a userdatabase for large amounts of users.

6. License Stuff

i added the apache-2 license to the sourceforge-project when creating it, i didn't realize that it is not displayed
anywhere, thanks for the pointer.
so basically it is apache-2 license, more or less in the hope that it fits most usecases. please let me state that
i'm open for suggestions relating to this issue.

wkr http://www.turnguard.com/turnguard


----- Original Message -----
From: "Henry Story" <henry.story@bblfish.net>
To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>, "bergi" <bergi@axolotlfarm.org>
Cc: "WebID Incubator Group WG" <public-xg-webid@w3.org>
Sent: Monday, November 7, 2011 11:28:30 PM
Subject: Re: WebID enabled PoolParty - was: ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture


On 7 Nov 2011, at 21:47, Jürgen Jakobitsch wrote:

> hi henry, thanks for your valuable input!
> 
> please find my answers below inline
> 
> wkr http://www.turnguard.com/turnguard
> 
> ----- Original Message -----
> From: "Henry Story" <henry.story@bblfish.net>
> To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
> Cc: "WebID Incubator Group WG" <public-xg-webid@w3.org>, "Andreas Blumauer" <a.blumauer@semantic-web.at>, "Helmut Nagy" <h.nagy@semantic-web.at>
> Sent: Monday, November 7, 2011 6:23:31 PM
> Subject: WebID enabled PoolParty - was: ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
> 
> Ok,
> 
> So I just logged in (or I think I did) with WebID to your Pool Party
> 
>  https://pilot5.poolparty.biz:8443/PoolParty/index.jsp
> 
> I know you told me this, but it's important for others who want to try it out: Chrome does not work currently. One needs Firefox for this.
> 
> JJ : very true, is mainly tested on firefox.
> 
> So really it is very difficult to use your service because I have no idea when or if I am logged in. You need:
> 
> - a test page where I can try out your login, and you can tell me if I fail to authenticate or not
> 
> JJ : 1. you are seeing the application, because it simply works in your case. you can try login with a dummy certificate (create yourself one
>     using fcns for a => non existent <= webID and try to log in using this certificate. you'll see a page saying something along the lines
>     "Cannot authenticate with the provided credentials".
>     2. you can also try to access the following page, which requires the role of a PoolPartyAdmin with your user
>        (https://pilot5.poolparty.biz:8443/PoolParty/templates/dialogs/admin/users/UserAdminAvailableUsers.jsp). you should see
>        a page along the lines "403 - Access to the requested resource has been denied"

Ok, that helps. 

It would be even better if you had a structured page such as 
   https://foafssl.org/test/WebId
which returned some RDF as described on 
  http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite
Bergi is working on simplifying the test suite, at least by highlighting the tests that are deprecated.

Then you can run all of Bergi's tests on your endpoint, which should help you catch a lot of problems.

> 
> 
> - at the minimum something that say "Hello bblfish" or "Hello Henry Story" or something of that nature. Many plus points for extracting the image from my foaf.
> 
> JJ : i added a "logged in as http://...." (logout) link in the right part of the menu (i'm going for the depiction-candy next time)

I get: 

   "logged in as http://www.turnguard.com/turnguard (logout)"

Should it be my name that appears there? Or did I just log in as you?

> 
>  Without that we cannot make any claim to have something that is easier to use than OpenId, OAuth or any of the other protocols.
> 
>  As far as the documentation goes the link you gave me seems to be password protected
>   https://grips.punkt.at/display/POOLDOKU/PoolParty+-+Quick+Start+Guide
> 
> JJ : i'm have to check with our confluence-admin (should be available for you soon)
> 
> 
>  One thing that I do think is *very_cool* is your technical discovery, pointed out today in the telconf that
> you can use the web.xml file to turn authentication on or off per resource. Web.xml is a standard way to set servlets.
> As you said during the telconf
> 
> [[
> the tomcat-webID realm is exactly analogue to tomcat-memory-userdatabase-realm,
> 
> see here http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
> tomcat webID realm source code : https://sourceforge.net/p/webidrealm/code/
> ]]
> 
> 
>       <web-resource-collection>
>            <web-resource-name>PoolParty</web-resource-name>
>            <description/>
>            <url-pattern>*.jsp</url-pattern>
>            <http-method>GET</http-method>
>            <http-method>POST</http-method>
>            <http-method>HEAD</http-method>
>            <http-method>PUT</http-method>
>            <http-method>OPTIONS</http-method>
>            <http-method>TRACE</http-method>
>            <http-method>DELETE</http-method>
>        </web-resource-collection>
>        <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
>        <auth-constraint>
>            <description/>
>            <role-name>http://turnguard.com/webid/poolparty/PoolPartyUser</role-name>
>        </auth-constraint>
>    </security-constraint>
>    <login-config>
>        <auth-method>CLIENT-CERT</auth-method>
>    </login-config>
>    <security-role>
>        <description/>
>        <role-name>http://turnguard.com/webid/poolparty/PoolPartyAdmin</role-name>
>    </security-role>
>    <security-role>
>        <description/>
>        <role-name>http://turnguard.com/webid/poolparty/PoolPartyUser</role-name>
>    </security-role>
> 
> 
> Is there a URL I can see that with? Like a URL where I can see something on PoolParty where I don't get my certificate requested, and one were I do?
> 
> JJ : 1. web.xml is locked away from external access, and can only be viewed by logging in via ssh.
>     2. currently only the index.html page is not protected. remember we are building an application and not a webpage, so there's not much
>        interaction without logging in - all other info about the application is on a totally different domain.


Which URL do you mean? I tried 

 - https://pilot5.poolparty.biz:8443/index.html
 - https://pilot5.poolparty.biz:8443/PoolParty/index.html ?

and each one asked me for my certificate.

> 
> I had a quick look at your code. Where is the WebID Authentication taking place?
> 
> JJ : authentication with tomcat-webID-realm works as follows :
>     1. when ssl is active, the SSLAuthenticationValve [1] is automaticall invoked for every request
>     2. the sslAuthenticator retrieves the current Context's realm  to do the authentication
>        (look for "context.getRealm().authenticate(certs)" in SSLAuthenticator.java
>     3. now context.getRealm() return my WebIDRealm [2], which extends RealmBase [3]
>     4. now context.getRealm().authenticate(certs) calls "authenticate(X509Certificate certs[])" (line 414) of RealmBase [3]
>     5. RealmBase in it's authenticate(certs) method returns getPrincipal(certs[0]) and
>     6. i implemented getPrincipal(X509Certificate usercert) in my WebIDRealm [2] in line 50.

It seems that all the real verification is going on in WebIDUserDatabase.java [ your 2] . Why not use SPARQL there? You would make your life a lot easier. For example right now we just moved to support cert:key which I don't think you support yet. You can copy the code then straight from 

 https://github.com/bblfish/foafssl-java/blob/master/foafssl-verifier-sesame/src/main/java/net/java/dev/sommer/foafssl/sesame/verifier/SesameFoafSslVerifier.java

If you want to see how it works with Jena then you can try 

 https://dvcs.w3.org/hg/read-write-web/file/3bb89aaaab51/src/main/scala/auth/WebIdClaim.scala

Or perhaps it would be cool to write a 

  foafssl-verifier-jena 

that would just work like foafssl-verifier-sesame

That we could add to the github repository, and so complete the pure Java implementation.

What licence are you publishing this under? It's not clear.


Henry

> 
>     [1] http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/SSLAuthenticator.java.htm
>     [2] http://sourceforge.net/p/webidrealm/code/13/tree/trunk/src/main/java/com/turnguard/advanced/tomcat/webid/realm/WebIDUserDatabaseRealm.java
>     [3] http://www.docjar.com/html/api/org/apache/catalina/realm/RealmBase.java.html
> 
> thanks again, hope that helps, i'll let you know, when docu is available
> wkr www.turnguard.com/turnguard
> 
> 
>  Henry
> 
> On 2 Nov 2011, at 11:38, Jürgen Jakobitsch wrote:
>> 
>> Herny :
>> 
>> ACTION-48 todos : ...set some goals for what should be up there
>> 
>> JJ : my suggestion for the content of the thesaurus would be :
>> 
>> 1. the terms that are already in the spec [4]
>> 2. authentication terms in generall. when starting with webID and authentication in generall it would be (super)-great to have
>>  an authority which tells me what all these terms are (TLS, SSL, Authentication, Access Control, ACL, Handshake, PublicKey, PrivateKey, Modulus,   
>>  Identity, OpenID, BrowserID)
>> 3. put all these terms in a context, so people know to which broader concept a certain term belongs to.
>>  (an example from dbpedia : http://dbpedia.org/page/Category:Secure_Shell => broader => http://dbpedia.org/page/Category:Cryptographic_protocols => broader => http://dbpedia.org/page/Category:Cryptography)
>> 4. link to lod-resources on the web using our lookup-plugins. see an example of a resource (skos:Concept) which i linked to different
>>  lod (and non-lod) source here [5]
>> 
>> the endeffect would be that people can browse the thesaurus and have one single source of information on the area of authentication.
>> 
>> 
>> Other poolparty things to consider
>> 
>> JJ :
>> 
>> poolparty usage :
>> 
>> 1. i created a project here [5] with the name of "Playground" where you can try out things create dummy concepts
>>  and edit labels as you like without destroying something. to open the project : login using webID,
>>  choose from the menu : PROJECT => Load Project => Playground
>> 2. here you'll find documentation on how to use poolparty
>>  1. quick start : https://grips.punkt.at/display/POOLDOKU/PoolParty+-+Quick+Start+Guide
> 
> I need to login to a site here that asks me for a password.
> 
>>  2. create a ConceptScheme : https://grips.punkt.at/display/POOLDOKU/Create+the+Concept+Schemes+for+your+Project
>>  3. create a TopConcept : https://grips.punkt.at/display/POOLDOKU/Create+Top+Concepts+for+your+Project
>>  4. create a Concept : https://grips.punkt.at/display/POOLDOKU/Create+Concepts+for+your+Project
>> 3. please use PROJECT => Logout to activly log out
>> 4. If something goes wrong or doesn't react (nothing happens) please refresh the page.
>> 5. please note : export the project when you make changes (there's a sophisticated backup mechanism, but the devil
>>  doesn't sleep)
>> 6. when logged in, you find information about yourself by choosing : ABOUT POOLPARTY => Userinfo from the menu
>> 
>> poolparty project concept uri pattern :
>> 
>> 1. as mentioned previously we would need to agree on a uri pattern. the possible poolparty uri patterns look like this
>>  http://{subdomain.domain | domain}/{projectName}/{uuid | encoded(prefLabel) }. so i'm looking forward to another
>>  happy pattern-polling. i'd suggest as a starter
>> 
>>  - http://terms.webid.info/glossary (concept uri example : http://terms.webid.info/glossary/webid)
>>  - http://glossary.webid.info/webid (concept uri example : http://glossary.webid.info/webid/tls)
>>  - http://terms.webid.info/Authentication (concept uri example : http://terms.webid.info/Authentication/ssl)
>>  - http://vocab.webid.info/Authentication (concept uri example : http://vocab.webid.info/Authentication/Handshake)
>> 
>> workflow of creating the thesaurus :
>> 
>> we here also have a couple of opportunities :
>> 
>> 1. we can collaborate in doing so (please note that there's also a log which logs new concepts, deletions of concepts
>>  and concept merges [8].
>> 2. i know that this is additional effort to come to terms with poolparty itself, so if don't have time for this
>>  i offer that i do create concepts if someone asks me to.
>> 
>> Kingsley : Are you adding them to the user database or a group to which ACLs are applied?
>> 
>> JJ : There are no ACLs on a triple or graph basis or the like. I programmed an analogy of a tomcat-realm [7]
>>    for use with webIDs, so that it's possible to secure webapps or single jsp on an url-based pattern.
>>    you can try this url [6] which only PoolPartyAdmins are allowed to access.
>> 
>> if you :
>> 
>> 1. have a problem logging into PoolParty here [5]
>> 2. want to be granted access
>> 3. have a problem creating a resource
>> 4. have a problem linking a resource
>> 5. suggestions | questions concerning the thesaurus
>> 6. suggestions concerning improvements of the pp server
>> 7. any other thing concerning this topic
>> 
>> feel free to contact me via the mailing list, via skype (see below in my mail signatur), or pm
>> 
>> next steps :
>> 
>> for groups members :
>> 
>> 1. try to log in.
>> 2. try to add some concepts in Playground project
>> 3. important : decide on a concept uri pattern
>> 
>> please don't hesitate to bombard me with any question or suggestion.
>> 
>> p.s.: concerning the earl-tests : i'm currently still very busy and unfortunately could do it untill now, i'm on holiday
>>     from next week until the end of november, so realistically i'm able to implement the test suite by december.
>> 
>> wkr http://www.turnguard.com/turnguard
>> 
>> [1] http://poolparty.biz/
>> [2] http://www.w3.org/2005/Incubator/webid/team#we
>> [3] http://www.w3.org/RDF/Validator/
>> [4] http://www.w3.org/2005/Incubator/webid/spec/#terminology
>> [5] http://pilot5.poolparty.biz/WebID/OpenID.html
>> [6] https://pilot5.poolparty.biz:8443/PoolParty/templates/dialogs/admin/users/UserAdminAvailableUsers.jsp
>> [7] http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
>> [8] https://grips.punkt.at/display/POOLDOKU/Logging+Information+for+a+Project
>> 
>> 
>> | Jürgen Jakobitsch,
>> | Software Developer
>> | Semantic Web Company GmbH
>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>> | A - 1070 Wien, Austria
>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>> 
>> COMPANY INFORMATION
>> | http://www.semantic-web.at/
>> 
>> PERSONAL INFORMATION
>> | web   : http://www.turnguard.com
>> | foaf  : http://www.turnguard.com/turnguard
>> | skype : jakobitsch-punkt
>> 
>> 
>> 
>> 
>> ----- Original Message -----
>> From: "Henry Story" <henry.story@bblfish.net>
>> To: "Jürgen Jakobitsch" <j.jakobitsch@semantic-web.at>
>> Cc: "WebID Incubator Group WG" <public-xg-webid@w3.org>
>> Sent: Thursday, October 20, 2011 10:37:05 AM
>> Subject: Re: close  ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
>> 
>> Hi Jurgen.
>> 
>> thanks for your reply. Since you are very interested in the thesaurus project, we won't close the issue but just put you in charge of it. I like the idea of having it up as a wiki where members of this group can login with their webid and edit it. I think that would be a nice little use case too.
>> 
>> I can see the following todos then:
>> 
>>  -1 have a server which we can use and login and members of the team can update the ontology
>>  -2 set some goals for what should be up there (I am not a thesaurus specialist, so I don't really know what we should be trying to do here)
>> 
>>   I have added that here
>> 
>>    ACTION-48: Jürgen Jakobitsch to put up thesaurus wiki available to team
>> 
>> To report back in a couple of weeks. You don't seem to be an official member of the XG - if you want just ask for it - so I put it down as an action for me. But I can add you to the team for sure. Just send me your webid.
>> 
>> If possible it would be really nice if you could have your endpoint generate the EARL as described here
>> 
>>   http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite
>> 
>>  so that we can help you debug your implementation, and so that we can write a report on what is supported in the community. This can then be very useful in helping us provide guidelines for what formats people should support when deploying webid profiles, and for adding elements to the spec in a way guided by deployments.
>> 
>>  Henry
>> 
>> 
>> On 20 Oct 2011, at 09:45, Jürgen Jakobitsch wrote:
>> 
>>> hi all,
>>> 
>>> ... --- ... (save our skos)
>>> 
>>> as you know, we have set up a poolparty demo server [1] to which one can log on using webID.
>>> this server can be used to easily create a skos thesaurus.
>>> i could add all members of webID#we [2] to the user database to grant them access and
>>> support every single one in creating concepts.
>>> 
>>> i'm convinced from the bottom of my heart that creating a thesaurus is always an extremly good idea.
>>> keep in mind : you all know the terms and conditions relating to the webID topic, but many who
>>> are in decision-position or simply interested do not, a thesaurus would certainly help.
>>> 
>>> besides that i would consider creating and publishing a thesaurus simply a matter of principle and good linked manners...
>>> 
>>> some words on the possible settings for a thesaurus created with poolparty :
>>> 1. every baseURL can be used to create linked data (i.e.: http://vocab.webid.info)
>>> 2. concept URIs are following this pattern : {baseURL}/{projectName}/{prefLabel}
>>> some samples of concept uris that are possible:
>>> vocab.webid.info/terms/conceptX
>>> glossary.webid.info/webid/conceptX
>>> ...
>>> the sub-domain should be point to our server so the concepts are really linked.
>>> anyway the thesaurus could also be exported on a regular basis and hosted elsewhere.
>>> 
>>> 3. with poolparty there's the possibility to link the concept to other resources using lookups.
>>> (of interest would be besides standard lookups like dbpedia, sindice, freebase and LCSH for example
>>>  an experimental google-patent lookup or an epo (european patent office) [3] lookup.
>>> 
>>> 
>>> there are then a couple of possibilities to fill the thesaurus :
>>> 
>>> 1. one of members of [2] gets the task and gets an introduction to use poolparty from me
>>> 2. there's a community effort, we then could do a telco where everybody is informed how to use the thesaurus
>>> 3. i could also personally do it, in case others don't want or don't have the time to (i'd be happy to do so).
>>> 
>>> meanwhile you can find an example of a webID-thesaurus-sample i did, when setting up the server here [4]
>>> 
>>> please note that there are of course many other ways to create a thesaurus and this is only a suggestion.
>>> 
>>> wkr http://www.turnguard.com/turnguard
>>> 
>>> [1] pilot5.poolparty.biz/PoolParty
>>> [2] www.w3.org/2005/Incubator/webid/team#we
>>> [3] www.epo.org
>>> [4] http://pilot5.poolparty.biz/WebID/Authentication
>>> 
>>> ----- Original Message -----
>>> From: "Henry Story" <henry.story@bblfish.net>
>>> To: "WebID Incubator Group WG" <public-xg-webid@w3.org>
>>> Sent: Thursday, October 20, 2011 12:40:54 AM
>>> Subject: close  ISSUE-40: A glossary of the preferred terms used for talking about the WebId architecture
>>> 
>>> It turns out that not much has happened in this respect on the  wiki here:
>>> 
>>> http://www.w3.org/2005/Incubator/webid/wiki/Terminology
>>> 
>>> There is a terminology section in the spec in any case
>>> 
>>> http://www.w3.org/2005/Incubator/webid/spec/#terminology
>>> 
>>> Are there terms that need to be added to the spec?
>>> 
>>>  Henry
>>> 
>>> 
>>> Social Web Architect
>>> http://bblfish.net/
>>> 
>>> 
>>> 
>>> --
>>> | Jürgen Jakobitsch,
>>> | Software Developer
>>> | Semantic Web Company GmbH
>>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>>> | A - 1070 Wien, Austria
>>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>>> 
>>> COMPANY INFORMATION
>>> | http://www.semantic-web.at/
>>> 
>>> PERSONAL INFORMATION
>>> | web   : http://www.turnguard.com
>>> | foaf  : http://www.turnguard.com/turnguard
>>> | skype : jakobitsch-punkt
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
>> 
>> --
>> | Jürgen Jakobitsch,
>> | Software Developer
>> | Semantic Web Company GmbH
>> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
>> | A - 1070 Wien, Austria
>> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
>> 
>> COMPANY INFORMATION
>> | http://www.semantic-web.at/
>> 
>> PERSONAL INFORMATION
>> | web   : http://www.turnguard.com
>> | foaf  : http://www.turnguard.com/turnguard
>> | skype : jakobitsch-punkt
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 
> --
> | Jürgen Jakobitsch,
> | Software Developer
> | Semantic Web Company GmbH
> | Mariahilfer Straße 70 / Neubaugasse 1, Top 8
> | A - 1070 Wien, Austria
> | Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22
> 
> COMPANY INFORMATION
> | http://www.semantic-web.at/
> 
> PERSONAL INFORMATION
> | web   : http://www.turnguard.com
> | foaf  : http://www.turnguard.com/turnguard
> | skype : jakobitsch-punkt

Social Web Architect
http://bblfish.net/



-- 
| Jürgen Jakobitsch, 
| Software Developer
| Semantic Web Company GmbH
| Mariahilfer Straße 70 / Neubaugasse 1, Top 8
| A - 1070 Wien, Austria
| Mob +43 676 62 12 710 | Fax +43.1.402 12 35 - 22

COMPANY INFORMATION
| http://www.semantic-web.at/

PERSONAL INFORMATION
| web   : http://www.turnguard.com
| foaf  : http://www.turnguard.com/turnguard
| skype : jakobitsch-punkt

Received on Monday, 7 November 2011 22:56:39 UTC