> On 9 Oct 2018, at 08:01, Rob Atkinson <robatkinson...@gmail.com> wrote:
>
> AFIACT if I want to invoke a EDG service without pasting into a browser I
> need to provide authentication - possibly however thats via a session cookie?
If EDG is installed on Tomcat with “Form authentication”, then authentication
is via session cookie and the login form.
If EDG is installed on Tomcat with “Basic authentication”, then it’s via HTTP
basic auth.
If EDG is running from TBCME, authentication is via a username cookie.
> I have tried using the SPARQLmotion "import text from URL" as the only
> obvious way i can see to invoke a URL inside SPARQLmotion - but its not
> obvious how access control to web services is handled.
>
> The most comprehensive overview I can find is
> https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/
> but this is completely silent on access control.
>
> If I use a browser not logged into EDG i get the same result I get from TBC -
> another Null pointer exception.
>
> 1) Is there a better way of invoking an EDG service within TBC?
Besides sml:ImportTextFromURL, there is also sml:PostRequest which is found
under “Export to Remote” and can be used to do a wide range of HTTP POST
requests. Both modules have a username and password field, and should
automatically use form authentication or basic authentication as needed by the
destination server.
If the script is SWP instead of SPARQLMotion, and the target service is
implemented in SWP and running on the same machine, then one could just call
the target service directly as an SWP element, and bypass the HTTP request (and
authentication headaches). That works because an SWP-implemented service is
just an SWP element that can be called from HTTP.
> 2) what are the EDG user/permissions/roles etc needed to provide password
> controlled access to services?
Checking of credentials is handled in a uniform way by the servlet container.
The client needs to submit the credentials in the appropriate fashion, see
above. The container then checks the credentials and, if they are valid, tells
EDG the name and groups of the authenticated user.
Any attempt to read from a graph is automatically permission-checked. If the
currently authenticated user does not have read permission on the graph, an
exception will be thrown. For services where this automatic read access checks
are insufficient, the service (is implemented in SWP) will use functions such
as smf:currentUserName, smf:canRead, smf:canWrite,
teamwork:currentUserHasPrivilege and uix:isAdmin to check that the current user
is allowed to do whatever the service does.
The most important resources under access control are the EDG asset
collections. They have viewer, editor and manager permissions that can be set
directly in the UI or indirectly through governance roles.
> 3) Is there a way to avoid putting passwords into SparqlMotion scripts
> (perhaps a SPIN template to retrieve them from EDG configuration somehow?)
Normal EDG configuration and SparqlMotion scripts are both stored as Turtle
files in the workspace, so there doesn’t seem to be a security advantage to
storing passwords in the configuration.
EDG stores passwords in the encrypted “Secure Storage” facility (accessible
under Server Administration > Password Management). Some SPARQLMotion modules
have a securePasswordURL argument that, I think, instructs the module to use a
password from the secure storage. I don’t think I ever tried this, and the
argument seems to be available only on some of the modules that perform
authentication, but that seems to be the proper way.
Richard
--
You received this message because you are subscribed to the Google Groups
"TopBraid Suite Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to topbraid-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
