[foaf-dev] generating FOAF - dumb or smart?

Peter Williams pwilliams at rapattoni.com
Sun Mar 2 22:09:57 GMT 2008 

Concerning Twinkle and access controls:

Setting the JRE/JDK system proxy allows control to be stripped from the app=
lication. In my case, my (scriptable) client-side proxy now responds to the=
 SPARQL server's authentication challenge.

For fun, I went beyond having the proxy respond to the 401 basic authentica=
tion Challenge. I had the server issue an openid2 challenge. The (scriptabl=
e, extensible) proxy provides the responding openid2 assertion back - to au=
thenticate and authorize the already delivered SPARQL request. (*)

Its probably important that the security model for SPARQL is standard and b=
ased on the communication layer rather than the information layer, ontlogie=
s or data model . It obviously should not be based on any proprietary (secu=
rity) features specific to the SPARQL client, the RDF library, or the  VM (=
.NET, JRE, etc)


(*) To be truthful it redirects to the openid assertion agent, which itself=
 redirects through a chain of SAML agents which do std authentication and a=
thorization processing. But, noone know this - it "looks like" openid.

If I summarize

1. I can generate FOAF files by template
2. I can generate FOAF streams by SPARQL CONSTRUCT
3. I can generate FOAF individuals from rdfs:subproperty, rdfs:subclass inf=
erences (using OWL Full)
4. I can impose an agent-centric websso security model, with comsec semanti=
cs

With this, I think I have most of the infrastructure in place to now focus =
on Henry's problem: impose access controls on properties. =


For that, I assume ill need a "community-endorsed" ontology for expressing =
an overlay of access control "security" facets on top of the object/data ty=
pes associated with particular RDFS properties.

Peter.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
.
  JAVA: java
.
  JAVA_OPTS: -Dprogram.name=3Drun.bat -DproxySet=3Dtrue -DproxyHost=3Dlocal=
host -DproxyPort=3D8888 -Xms128m -Xmx512m
.
  CLASSPATH:
.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D


From: Leigh Dodds
Sent: Sat 2/23/2008 10:53 AM
To: Peter Williams
Cc: foaf-dev at lists.foaf-project.org
Subject: Re: [foaf-dev] generating FOAF - dumb or smart?


>  Meantime, I got tired of using http basic auth to the SPARQL server. (Ne=
ver did get
> Twinkle2.0 to talk to my http endpoint accepting SPARQL protocol, which r=
equired at least
> basic auth - as there is no obvious way to configure the twinkle client a=
gent for security).

Thats because the 2.0 version doesn't support access control on SPARQL
endpoints. I've been waiting for the recent ARQ release, which
includes some changes I requested to the API. One of those was having
a bit more control over the construction of the endpoint URL
parameters than was previously available. I need that particular
change to support endpoints with access tokens.

So the 2.1 release which I'll hopefully have time for next week should
include the feature you need.

L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.usefulinc.com/pipermail/foaf-dev/attachments/20080302/829=
c109a/attachment.htm

More information about the foaf-dev mailing list