Archived

If you are looking for the last documentation in the 4.x series, see 4.7.5. Looking for another version? See all documentation.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

WebAC authorization Fedora module is an implementation of the still evolving draft by the W3C that proposes a decentralized authorization mechanism. See WebAccessControl specifications at the W3C website. 

W3C's definition of WebAccessControl:

WebAccessControl is a decentralized system for allowing different users and groups various forms of access to resources where users and groups are identified by HTTP URIs. 

The WebAC module will enforce access control based on the Access Control List (ACL) RDF resource associated with the requested resource. The ACL resource should specify the types of access, allowed users or groups, and applicable resources.

User -> Read/Write/Append/Control -> Resource/ResourceType

Example:

1. userA can Read document foo
@prefix acl: <http://www.w3.org/ns/auth/acl#>

</acls/read> acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .


2. users in NewsEditor group can Write to any resource of type News
@prefix acl: <http://www.w3.org/ns/auth/acl#>

</acls/write> acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .

Example Request Authorization Flow:

Gliffy Macro Error

An error occurred while rendering this diagram. Please contact your administrator.

  • Name: Fedora WebAC Request Authorization Flow

 

Example Scenarios

  1. I want to allow a user with username "smith123" to have read, write access to resource http://localhost:8080/rest/webacl_box1.

    Using these two "files" to create our Authorization and ACL resources.

    Acl.ttl
    @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix ldp: <http://www.w3.org/ns/ldp#> .
<> a ldp:BasicContainer ;
   rdf:type ???:WebAcl .
    Authorization.ttl
    @prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix ldp: <http://www.w3.org/ns/ldp#> .
<> a ldp:RDFSource ;
   rdf:type acl:Authorization ;
   acl:agent "smith123" ;
   acl:mode acl:Read, acl:Write ;
   acl:accessTo <http://localhost:8080/rest/webacl_box1> .

    We would execute the following commands.

    > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/new/node/acl

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/new/node/acl/auth1"

http://localhost:8080/rest/new/node/acl/auth1

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT INTO {
<> acl:accessControl <http://localhost:8080/rest/new/node/acl> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/webacl_box1"
  2. I wants this group to have write access on this collection
    ....
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.