Your SlideShare is downloading. ×
0
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Access Control for HTTP Operations on Linked Data
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Access Control for HTTP Operations on Linked Data

597

Published on

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access …

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.

http://wimmics.inria.fr/projects/shi3ld-ldp/

Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.

SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
597
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Access Control for HTTPOperations on Linked Data !Luca  Costabello  Serena  Villata  Oscar  Rodriguez  Rocha  Fabien  Gandon  
  • 2. Outline!●  Introduction"●  Shi3ld Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"
  • 3. Outline!●  Introduction!●  Shi3ld Authorization Procedure!●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"
  • 4. Accessing Linked Data!●  HTTP URIs dereferencing"●  SPARQL queries"●  RDFa, search engines APIs"
  • 5. Accessing Linked Data!●  HTTP URIs dereferencing!●  SPARQL queries"●  RDFa, search engines APIs"GET /data/resource HTTP/1.1!Host: example.org!...!
  • 6. Our Problem!6  How to design an authorizationframework for HTTP interaction withLinked Data? "GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!
  • 7. Access Control for Triple Stores!7HTTP  Interac:on  A<ribute-­‐Based  AC  Model  Policies  in  RDF/SPARQL  Resource-­‐level  Granularity  Context  Awareness  Shi3ld-­‐SPARQL  [2012]  WAC  [2007]  Proteus [2006]  Abel et al. [2007]  Finin et al. [2008]  Flouris et al. [2010]  PPO  [2011]  
  • 8. 8  SELECT … !WHERE {…}!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
  • 9. 9  GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
  • 10. Outline!●  Background"●  Shi3ld Authorization Procedure"●  Adapting Shi3ld-SPARQL to HTTP!●  Response Time Evaluation"●  Future Work"
  • 11. Shi3ld Access Policy!11  AccessConditionSet AccessPolicyhasContextAccessPrivilegehasAccessPrivilegeappliesToUserDeviceEnvironmentContextenvironmentdeviceuserhasAccessConditionSetAccessConditionhasAccessConditionTwo “Styles” for Access Conditions"●  SPARQL-based"●  SPARQL-less"
  • 12. Sample Access Policy (SPARQL-based)!12  :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!Protected resourceAccess Condition to be verified:«User must be John and request mustcome from a specific location»
  • 13. Sample Access Policy (SPARQL-less)!13  :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!!:env1 a prissma:Environment;!prissma:nearbyEntity <http://alice.org#me>.!Protected resourceAccess Condition to be verified:«User must be John and Alice must be nearby»
  • 14. 14  Authorization Procedure
! 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction!
  • 15. Authorization Procedure
!15  GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"UserDeviceEnvironmentContextenvironmentdeviceuser<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
  • 16. Authorization Procedure (SPARQL-based)
!16  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"ASK {?context !a prissma:Context; !prissma:user ex:john.} ! =  "false"  VALUES (?context) {(:client_attributes)}!GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
  • 17. Authorization Procedure (SPARQL-less)
!17  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"!:context a prissma:Context; !! prissma:user ex:john. !"no match"  GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
  • 18. Authorization Procedure
!18  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!:resource!401 Unauthorized!
  • 19. Outline!●  Introduction"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios!●  Response Time Evaluation"●  Future Work"
  • 20. HTTP Operations on Linked Data: 
Our Scenarios!20  ●  SPARQL 1.1 Graph Store Protocol (GSP)""●  W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Dataarchitecture. ""GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!
  • 21. HTTP Operations on Linked Data: 
Our Scenarios!21  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  • 22. HTTP Operations on Linked Data: 
Our Scenarios!22  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  • 23. Shi3ld- GSP!23  Shi3ld-GSPClientSPARQL 1.1GSPTripleStoreGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)INSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...GET /data/resource HTTP/1.1Host: example.org200 OKHTTP HTTP/SPARQL1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  • 24. HTTP Operations on Linked Data: 
Our Scenarios!24  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  • 25. LDP ServerINSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...Shi3ld-LDP InternalTriple StoreInternalSPARQL EngineShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)200 OKFileSystem/TripleStoreHTTPgetData()Shi3ld InternalShi3ld-LDP (SPARQL-based)!25  1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  • 26. 26  Shi3ld-LDP (SPARQL-less)!FileSystem/TripleStoreSave attributesGet Access Policiesattributes.contains(AC1)attributes.contains(ACn)...Shi3ld-LDPSubgraphmatcherShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)LDP ServerHTTP Shi3ld Internal200 OKgetData()1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  • 27. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation!●  Future Work"
  • 28. Response Time Evaluation!28  ●  Response time linear w/ AC #"●  SPARQL-less: 25% faster"●  Empty RDF Store: only 14%faster"
  • 29. Response Time Evaluation!29  ●  AC complexity does notaffect response time"●  Response time independentfrom HTTP method"
  • 30. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work!
  • 31. Future Work!bit.ly/shi3ld-httpLuca  Costabello  @lukostaz!  Serena  Villata  @serena_villata!  Oscar  Rodriguez-­‐Rocha  @orocha!  Fabien  Gandon  @fabien_gandon  ●  Client Attributes Trustworthiness "●  Client Attributes Caching"●  Admin UI"

×