Re: Safe manipulation of RDF data

On 10/09/2019 20:24, Mikael Pesonen wrote:

>
> Very much agree on this, there are some standards but they are a bit 
> scattered and not working optimally together.
>
> We are just designing the framework for building various kinds of 
> apps. It has the components
> js/REACT web app -- middleware / proxy -- Apache Jena
> First app will have input forms and we are doing data validation using 
> SHACL. Now that you mentioned, SHACL rules could be used also as a 
> proxy, so that's an option too. There are just not too many examples 
> of that.

At TopQuadrant we are probably doing exactly that, and use SHACL as a 
schema definition language to describe which properties/paths are 
relevant for a given "view". A view here is represented by a node shape, 
and typically maps to an input or display form for users. Different 
users can see different forms, or users can switch between forms, if 
multiple node shapes target the currently focused resource. Shapes may 
or may not align with class definitions. One user's ex:Person may be 
another user's ex:Customer, yet the underlying triples may be the same.

We use SHACL to automatically generate GraphQL schemas to produce a 
"natural" API for "mainstream" developers. The SHACL-GraphQL mapping is 
described at https://www.topquadrant.com/technology/graphql/

The form generation is described at http://datashapes.org/forms.html

Holger


>
>
> On 10/09/2019 13:11, Dave Raggett wrote:
>> Hi Mikael,
>>
>> I guess it depends on exactly what your requirements are. For 
>> instance, you might want to limit access to particular parts of the 
>> dataset, offering different views depending upon the security 
>> clearance of a given client. Another concern might be in respect to 
>> denial of service attacks through malicious choices of queries.
>>
>> Another way of thinking about this relates to contracts between the 
>> supplier and consumer of information services. The contract could 
>> specify the precise interfaces to be exposed to the consumer, along 
>> with terms and conditions for the use of this information. The Web of 
>> Things could be helpful as it allows the supplier to use JSON-LD  to 
>> describe the interfaces in terms of objects with properties, actions 
>> and events, which are exposed locally to the client code running in 
>> the consumer’s machine.
>>
>> Graph shapes could be a useful component for specifying contracts, 
>> e.g. SHACL or ShEx, as they allow you to define validity constraints 
>> for data exchanged between the supplier and consumer.
>>
>> I would like to encourage more work on open standards for open 
>> markets for information services, including standards relating to 
>> smart contracts, service discovery, service management and automatic 
>> security updates for application software.
>>
>> Best regards,
>> Dave
>>
>>> On 6 Sep 2019, at 14:17, Mikael Pesonen <mikael.pesonen@lingsoft.fi> 
>>> wrote:
>>> we are developing a public javascript / React application which 
>>> manipulates RDF data on a triplestore (Jena).
>>> For security reasons it is not feasible to allow the application to 
>>> make direct queries to the triplestore.
>>>
>>> What kind of strategies and implementations there are to tackle 
>>> this? Some kind of middleware should be needed and Linked data 
>>> Fragments is one standard that comes to mind.
>> Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
>> W3C Data Activity Lead & W3C champion for the Web of things
>>
>>
>>
>

Received on Tuesday, 10 September 2019 23:48:29 UTC