Trevor, Let me answer your questions in a slightly different order.
First: the difference between a graph and model. Graph is actually the SPI interface Model is the API interface and is probably the one you are using. Basically, the Model interface uses Resources (and derived classes) in Statements. Graphs use Nodes (and derived classes) in Triples. There are other differences but for purposes of the security framework they are negligible. I suspect that your code uses the Model API. Inside the Security framework, we work with Nodes in Triples. So where your code probably handles Statements the Security API will talk about the corresponding SecTriple. Your code probably talks about Resources and the Security API will talk about corresponding SecNode. Model Graph Security API Resource Node SecNode Statement Triple SecTriple To retrieve the reified statements you will have to construct your SecurityEvaluator with access to that graph/model that contains the reified statements. This will be part of how you construct / configure your SecurityEvaluator. As for looking the items up, you could construct a SPARQL query and use ARQ to execute it. When SecurityEvaluator.evaluate( Action.Read, "urn:graph-name:data-graph", <dbr:Ireland, dbo:capital, dbo:Dublin> ) is called <dbr:Ireland, dbo:capital, dbo:Dublin> will be a SecTriple instance. You can retrieve the subject, predicate and objects as SecNodes. You can convert those to standard Jena Nodes by reverse engineering the SecuredItemImpl.convert() method. Or you can probably just use the text value as you are using URLs. In either case you can construct the SPARQL query to retrieve the roles that have access to the triple. The logic behind the access restrictions. The system has to make 2 assessments and has to handle multiple configuration options. The first call is evaluate( READ, graphIRI ). At this point we are checking that the user can read the graph identified by the IRI. If not then we are done and the access exception is thrown. If the user can read the graph then we need to know if the system has any restrictions on the user reading the triples, so the system makes the evaluate( READ, graphIRI, SecTriple.ALL ). if the evaluator returns true then the user can read all the data and we are done. If the evaluator returns false then we need to determine if the user can read the specific triple. At this point the final check is performed for the actual triple in question. Graph Access ALL triples Specific Triple N (done no access) Y Y (done all access) Y N N (done no access to triple) Y N Y (done access to triple) In some cases (e.g. when returning a list/iterator of matching items) the list/iterator is filtered as per above. In other cases (e.g. when attempting to read a specific triple) an access exception is thrown. The above table covers reading triples. Writing, deleting and updating have some other options dealing with nodes that will be created and such. Claude Claude On Fri, Jan 2, 2015 at 2:22 AM, Trevor Donaldson <[email protected]> wrote: > Claude, > > First off, thanks for your response. I truly appreciate it. I would give an > example but the code that I am working with is on my work machine. Your > assumption about having a mechanism to retrieve users roles is valid. Your > assumption about having a way to attach roles to triples as they go into > the triple store is also true. Essentially what happens is I have > datasourceA and datasourceB. When data is inserted into the triple store we > attach the roles as a reified statement (Apologies for my semantic web > vocab but I am still a newbie). > So for example we get user address from one datasourceA so we create a > triple > > subject : http://myApp/username/JoeBlow > predicate : pr:userName > object : "Joe Blow" > > Then we take that triple and create a reified statement with roles (ROLEA, > ROLEB, ROLEC). I tried what you said which is set "Second the method > SecurityEvaluator.evaluate( Action.Read, "urn:graph-name:data-graph", > SecTriple.ANY ) will be called. The SecurityEvaluator should return "false" > to indicate that that there are restrictions on some triples in the data > graph." > > The part I am struggling with is this portion of your comment. "Finally the > method SecurityEvaluator.evaluate( Action.Read, > "urn:graph-name:data-graph", <dbr:Ireland, dbo:capital, dbo:Dublin> ) will > be called. The evaluator should then look up the rdf:Statement that covers > the <dbr:Ireland, dbo:capital, dbo:Dublin> triple, retrieve the roles that > have access, compare those with the roles that the user has and if there is > an intersection return "true" otherwise return "false"." > > Inside of the SecurityEvaluator, how do I get to the reifiedstatements > role? Question two, if I return false from evaluate(Resource r) > < > https://github.com/apache/jena/blob/master/jena-security/src/example/org/apache/jena/security/example/ExampleEvaluator.java#L64 > >, > that was returning false for the entire model. So essentially what was > happening for me is, if user can't see one triple they can't see any > triples. Plus my other question is what is difference between Graph and > Model. Ok, thanks so much for your help. > > On Thu, Jan 1, 2015 at 7:49 PM, Claude Warren <[email protected]> wrote: > > > Trevor, > > > > I saw your question on stackoverflow > > > http://stackoverflow.com/questions/27706124/jena-security-with-reification > > and answered it there. I would have answered here first had I seen this > > first. > > > > But it is possible and I provided what I hope is a detailed explanation > of > > how to do what you want to do. > > > > Claude > > > > On Wed, Dec 31, 2014 at 9:56 PM, Trevor Donaldson <[email protected]> > > wrote: > > > > > Hi, > > > > > > I am currently in the process of upgrading a Semantic Web application > > from > > > RDB to TDB. Yes it is 2014 and yes I agree that the owners of said app > > > should have upgraded a long time ago. With that out of the way I am > > asking > > > for some help. Currently the original developers of this application > > wrote > > > a custom assembler to create Adjudicating Graphs which would perform > > > statement-level security adjudication. That is all well in good but > there > > > are multiple references to Reifier which has been removed in version > > > 2.11.2, not to mention to follow some of the code you would have to be > a > > > semantic guru yourself. > > > > > > I researched and found that Jena Security now exist. It probably didn't > > > when these guys first started writing this application. So now my > > question, > > > hopefully a simple one, how do I use jena security with reification? I > > > haven't been able to figure it out and the examples on github aren't > > quite > > > exactly what I need. So given the following RDF (reified statement) > > > > > > _:statement rdf:type rdf:Statement . > > > _:statement rdf:subject dbr:Ireland . > > > _:statement rdf:predicate dbo:capital . > > > _:statement rdf:object dbo:Dublin . > > > _:statement ex:role "ROLEA", "ROLEB", "ROLEC" . > > > > > > _:statement rdf:type rdf:Statement . > > > _:statement rdf:subject dbr:Canada. > > > _:statement rdf:predicate dbo:capital . > > > _:statement rdf:object dbo:Ottawa. > > > _:statement ex:role "ROLEA" . > > > > > > > > > Case I am trying to solve : > > > 1. User A logs in and runs query with ROLEA > > > 2. User queries for capitals > > > 3. Jena Security filters out the Ireland statement and only returns > > Ottawa > > > statement because the user is only in ROLEA. The roles are "ands" > > > > > > I hope this help. I am a semantic web newbie and I am stuck. Thanks in > > > advance. > > > > > > > > > > > -- > > I like: Like Like - The likeliest place on the web > > <http://like-like.xenei.com> > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > -- I like: Like Like - The likeliest place on the web <http://like-like.xenei.com> LinkedIn: http://www.linkedin.com/in/claudewarren
