WebAC authorization Fedora module is an implementation of the still evolving draft by the W3C that proposes a decentralized authorization mechanism. See WebAccessControl specifications at the W3C website.
W3C's definition of WebAccessControl:
WebAccessControl is a decentralized system for allowing different users and groups various forms of access to resources where users and groups are identified by HTTP URIs.
The WebAC module will enforce access control based on the Access Control List (ACL) RDF resource associated with the requested resource. The ACL resource should specify the types of access, allowed users or groups, and applicable resources.
User -> Read/Write/Append/Control -> Resource/ResourceType
Example:
1. userA can Read document foo
@prefix acl: <http://www.w3.org/ns/auth/acl#>
</acls/read> acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .
2. users in NewsEditor group can Write to any resource of type News
@prefix acl: <http://www.w3.org/ns/auth/acl#>
</acls/write> acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .
Example Request Authorization Flow:
Example Scenarios
I want to allow a user with username "smith123" to have read, write access to resource http://localhost:8080/rest/webacl_box1.
Using these two "files" to create our Authorization and ACL resources.
Acl.ttl@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:BasicContainer ; rdf:type ???:WebAcl .
Authorization.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent "smith123" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/webacl_box1> .
We would execute the following commands.
> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/webacl_box1"I want to let the group "Editors" have read, write access on all the items in the collection "http://localhost:8080/rest/box/bag/collection"
Using the below two "files",Acl.ttl@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:BasicContainer ; rdf:type ???:WebAcl .
Authorization.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent "Editors" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/box/bag/collection> .
We would execute the following commands.
> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/box/bag/collection"I would like the collection http://localhost:8080/rest/dark/archive to be viewable only by the groupId "Restricted", but I would like to allow anyone to view the resource http://localhost:8080/rest/dark/archive/sunshine.
Using the below three files to setup the Acl and Authorization resources.Acl.ttl@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:BasicContainer ; rdf:type ???:WebAcl .
Auth_restricted.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent "Restricted" ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/dark/archive> .
Auth_open.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent foaf:Agent ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/dark/archive/sunshine> .
The I would execute the following commands.
> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl_lock > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_restricted.ttl" "http://localhost:8080/rest/acl_lock/auth1" http://localhost:8080/rest/acl_lock/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl_lock> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive" > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl_open > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_open.ttl" "http://localhost:8080/rest/acl_open/auth2" http://localhost:8080/rest/acl_open/auth2 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl_open> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive/sunshine"The collection http://localhost:8080/rest/public_collection should be readable by anyone but only editable by users in the group Editors.
Using the following three files to setup the Acl and Authorizations. We would:Acl.ttl@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . <> a ldp:BasicContainer ; rdf:type ???:WebAcl .
Auth1.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent foaf:Agent ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/public_collection> .
Auth2.ttl@prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix ldp: <http://www.w3.org/ns/ldp#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a ldp:RDFSource ; rdf:type acl:Authorization ; acl:agent "Editors" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/public_collection> .
I would execute the following code:
> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth1.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth2.ttl" "http://localhost:8080/rest/acl/auth2" http://localhost:8080/rest/acl/auth2 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/public_collection"
