Hi Ryan,
Are you using the "fuseki:service*" style for defining the operations?
The newer
fuseki:endpoint [
# SPARQL Graph Store Protcol (read and write)
fuseki:operation fuseki:gsp_rw ;
fuseki:name "data"
] ;
style allows more precise definition of endpoints.
https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
:serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads
mode) and "/**=anon" applies.
If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
You can go further with fuseki:allowedUsers on individual
endpoint/operation. shiro.ini does not support that but you'll need
shiro to do user login.
A server without UI and without admin (currently :-) can Fuseki/main can
use the Jetty security handling - no shiro.ini - but that's a completely
separate setup.
Andy
On 31/10/2022 22:36, Shaw, Ryan wrote:
I am trying to configure fuseki-server so that
* an admin logging in via basic auth can create and update datasets
* anonymous users can only query datasets
My shiro.ini:
[main]
ssl.enabled = false
plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher
[users]
admin=${ADMIN_PASSWORD}
[roles]
[urls]
# admin functions open to anyone
/$/ping = anon
/$/server = anon
/$/stats = anon
/$/stats/* = anon
# and the rest of the admin functions are restricted
/$/** = authcBasic,user[admin]
# dataset loads and updates are restricted
/*/data/** = authcBasic,user[admin]
/*/update/** = authcBasic,user[admin]
# everything else is open to anyone
/**=anon
With this shiro.ini configuration, anonymous users can still PUT to a dataset
URL to update it. I want to disallow that. How ?
