On 17/05/16 14:07, Bischof, Stefan wrote:
Hi all,
I want to expose a SPARQL endpoint but only encrypted and authenticated.
Encryption is currently handled by Apache httpd as a reverse proxy.
The normal way to use a reverse proxy is to force all traffic to go via
the proxy, and stop direct.
Block port 3030 to the outside world so that only the local machine can
talk to it.
(I was going to say "use AJP13" but apparently that is no longer
recommended for jetty).
You can start Fuseki to only respond to the local host network as well.
Authentication works only partly: I adapted shiro.ini as indicated by the
comments (see below - username and pw changed of course).
The comments are about exposing the UI to user/password ...
1. Authentication works perfectly when I run SPARQL queries from the Fuseki
web frontend:
https://host:port/dataset.html?tab=query&ds=%2Fds&query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
2. Authentication is bypassed when I run SPARQL queries directly against
the SPARQL endpoint exposed by fuseki:
https://host:port/ds/query?query=%0A%0ASELECT+%3Fsubject+%3Fpredicate+%3Fobject%0AWHERE+%7B%0A++%3Fsubject+%3Fpredicate+%3Fobject%0A%7D%0ALIMIT+25
Put a rule for "/ds/query" in the [urls] section.
As you have it, it falls to "/**=anon"
This leaves the triple store totally open if someone knows the URL of the
SPARQL endpoint. Is this the intended behaviour?
Is there any other documentation apart from the config file and
https://jena.apache.org/documentation/fuseki2/fuseki-security.html?
The Apache Shiro documentation.
How can I enable authentication via shiro.ini for the SPARQL endpoint?
Or is Apache httpd authentication the best way to go?
If you are putting an reverse proxy in anyway, then it certainly is a
good option to consider. httpd has more choices
Andy
Thanks!
Stefan
[main]
# Development
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
#admin=pw
secretuser=secretpassword
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
#/$/** = localhostFilter
## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
## 2 - comment out the "/$/** = localhost" line and use:
/$/** = authcBasic,user[admin]"
## or to allow any access.
##/$/** = anon
# Everything else
/**=anon
