On 28/01/15 13:45, Stian Soiland-Reyes wrote:
Right - but ideally I should be allowed to stay anonymous until trying
to do sysadmin stuff (e.g. "Manage datasets")
Shiro only triggers for certain URLs. See shiro.ini.
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
/$/** = localhost
...
# Everything else
/**=anon
Looking at this closer, it seems to give the first 401 on a GET
http://localhost:8081/$/server
I can cancel the dialogue, and now I don't get any drop-down list
under http://localhost:8081/dataset.html
It is making an admin call to find out about datasets. Whether that is
to be made admin-only or not depends on style. It's not SPARQL protocol.
And if you want high grade security - put it behind a Apache httpd or
etc and use that.
The suggested shiro.ini does indeed protect almost everything under /$/:
https://github.com/apache/jena/blob/master/jena-fuseki2/jena-fuseki-core/src/main/resources/org/apache/jena/fuseki/server/shiro.ini#L25
I edited this to do basicauth exactly as it says in the comments there
(but with a pwgen-generated password)
What does /$/server do?
The machine that goes 'ping'
See web.xml.
Calls ActionServerStatus to see if it is alive and run the green/red
indicator.
On 28 January 2015 at 13:30, Andy Seaborne <[email protected]> wrote:
On 26/01/15 16:53, Stian Soiland-Reyes wrote:
# Questions to dev@jena
Q: I don't know why Fuseki (here with basic auth) always asks for the
admin password - perhaps some Fuseki / shiro.ini experts can help? Is
it because of the server status icon?
Not an expert but with some digging ...
What seems to be happening is that if you turn off localhost authentication
and turn on basic authentication, then the user/password has to go in every
request. There is no session state, cookies whatever in basic
authentication.
Usually the way to do that is to have the browser remember the details and
it will send them when asked.
I guess you have told your browser not to record user/password.
There is a two hop exchange with a via 401 - the web UI does not know the
user/password to add each GET/POST - maybe that is easy to configure the
environment to do that, I don't know, not my area of expertise.
Having the Fuseki code add user/password seems rather heavy and with such a
common setup I wodner if there is a way to tell jQuery or whatever is doing
the HTTP bit to learn the details (not that basic auth is very safe unless
it's an SSL connection).
Andy
https://issues.apache.org/jira/browse/SHIRO-20 for digest auth.
