Author: buildbot
Date: Tue Sep 10 20:10:44 2013
New Revision: 877957
Log:
Staging update by buildbot for jena
Modified:
websites/staging/jena/trunk/content/ (props changed)
websites/staging/jena/trunk/content/documentation/security/index.html
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Sep 10 20:10:44 2013
@@ -1 +1 @@
-1521598
+1521622
Modified: websites/staging/jena/trunk/content/documentation/security/index.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/security/index.html
(original)
+++ websites/staging/jena/trunk/content/documentation/security/index.html Tue
Sep 10 20:10:44 2013
@@ -177,17 +177,26 @@ to the Evaluator before allowing the cal
this is done correctly. The required permissions are specified in the javadoc
for object classes
(e.g. SecuredGraph, SecuredModel).</p>
<p>Conceptually the framework implements 2 levels of security: graph and
triple.</p>
-<p>The graph restrictions are applied before triple restrictions. So the
system will call
- evaluate( Action action, SecNode graphIRI );
-to ask can the current user "Read" (Action) graph X (graphIRI) as
<code>evaluate( Action.READ, X )</code>.</p>
-<p>if the answer is yes then the system will call
- evaluate( Action action, SecNode graphIRI, SecTriple triple );
-to ask if the current user can "Read" (Action) from graph X (graphIRI) all
triples (SecTriple) as
+<p>The graph restrictions are applied before triple restrictions. So the
system will call </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span> <span
class="n">action</span><span class="p">,</span> <span class="n">SecNode</span>
<span class="n">graphIRI</span> <span class="p">);</span>
+</pre></div>
+
+
+<p>to ask can the current user "Read" (Action) graph X (graphIRI) as
<code>evaluate( Action.READ, X )</code>.</p>
+<p>if the answer is yes then the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span> <span
class="n">action</span><span class="p">,</span> <span class="n">SecNode</span>
<span class="n">graphIRI</span><span class="p">,</span> <span
class="n">SecTriple</span> <span class="n">triple</span> <span
class="p">);</span>
+</pre></div>
+
+
+<p>to ask if the current user can "Read" (Action) from graph X (graphIRI) all
triples (SecTriple) as
<code>evaluate( Action.READ, X, SecTriple.ALL )</code>.</p>
<p>if the answer is yes then the system will execute the call, if the answer
is no then for each
-potential triple the user might read the system will call
- evaluate( Action action, SecNode graphIRI, SecTriple triple );
-to ask if the current user can "Read" (Action) from graph X (graphIRI) the
triple in question
+potential triple the user might read the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span> <span
class="n">action</span><span class="p">,</span> <span class="n">SecNode</span>
<span class="n">graphIRI</span><span class="p">,</span> <span
class="n">SecTriple</span> <span class="n">triple</span> <span
class="p">);</span>
+</pre></div>
+
+
+<p>to ask if the current user can "Read" (Action) from graph X (graphIRI) the
triple in question
(<triple>) as <code>evaluate( Action.READ, X, <triple> )</code>.</p>
<p>Jena-security performs similar checks for all creates, reads, updates and
deletes. (CRUD). It also does this
for all classes that can be returned from the secured classes. For example an
RDFList returned
@@ -197,11 +206,17 @@ list.</p>
<p>Jena-security provides three special nodes to facilitate evaluation of
security policy constraints.</p>
<h4 id="secnodeany">SecNode.ANY</h4>
<p>This is similar to the Jena <code>Node.ANY</code> node. It matches any
node. In general the system will ask if
-the user can access a graph by executing
- evaluate( Action, GraphIRI )
-if the user can access the graph then the system will execute
- evaluate( Action, GraphIRI, <SecNode.ANY, SecNode.ANY, SecNode.ANY )
-to determine if the user can perform the action on all triples. If not then
the system will attempt to
+the user can access a graph by executing </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span><span class="p">,</span> <span
class="n">GraphIRI</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>if the user can access the graph then the system will execute</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span><span class="p">,</span> <span
class="n">GraphIRI</span><span class="p">,</span> <span
class="o"><</span><span class="n">SecNode</span><span
class="p">.</span><span class="n">ANY</span><span class="p">,</span> <span
class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span><span
class="p">,</span> <span class="n">SecNode</span><span class="p">.</span><span
class="n">ANY</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>to determine if the user can perform the action on all triples. If not
then the system will attempt to
determine if the user perform the action on each specific triple. In some
cases the system can determine that
the range of nodes involved in the action a sub set of all nodes and will call
<code>evaluate</code> with some constant
nodes.</p>
@@ -267,13 +282,19 @@ that have subject X and predicate Y.</p>
<p>Insertions pose a different set of problems in that in some cases the
system does not know what value will be
inserted. For example when concatenating one RDFList with another
(<code>rdfList.concatenate( rdfList2 )</code>) the system
will create a series of anonymous nodes. To check for these the
<code>SecNode.FUTURE</code> is used. Initially the system will
-call
- evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, SecNode.ANY )
-to ascertain if the user can create a triple in graph X that has an anonymous
node (SecNode.FUTURE) as the subject,
+call </p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span><span class="p">.</span><span
class="n">CREATE</span><span class="p">,</span> <span class="n">X</span><span
class="p">,</span> <span class="o"><</span><span
class="n">SecNode</span><span class="p">.</span><span
class="n">FUTURE</span><span class="p">,</span> <span class="n">RDF</span><span
class="p">.</span><span class="n">first</span><span class="p">,</span> <span
class="n">SecNode</span><span class="p">.</span><span class="n">ANY</span>
<span class="p">)</span>
+</pre></div>
+
+
+<p>to ascertain if the user can create a triple in graph X that has an
anonymous node (SecNode.FUTURE) as the subject,
RDF.first as the predicate and any node as the object. If this is not allowed
then for every node in <code>rdfList2</code>
-the system will call
- evaluate( Action.CREATE, X, <SecNode.FUTURE, RDF.first, node )
-where <code>node</code> is the node from <code>rdfList2</code> to be added.</p>
+the system will call</p>
+<div class="codehilite"><pre><span class="n">evaluate</span><span
class="p">(</span> <span class="n">Action</span><span class="p">.</span><span
class="n">CREATE</span><span class="p">,</span> <span class="n">X</span><span
class="p">,</span> <span class="o"><</span><span
class="n">SecNode</span><span class="p">.</span><span
class="n">FUTURE</span><span class="p">,</span> <span class="n">RDF</span><span
class="p">.</span><span class="n">first</span><span class="p">,</span> <span
class="n">node</span> <span class="p">)</span>
+</pre></div>
+
+
+<p>where <code>node</code> is the node from <code>rdfList2</code> to be
added.</p>
</div>
</div>
