Google Git
Sign in
apache / jena-site / 4e400bf5fa740e794729802ee7d40b36c3e9f5f5 / . / content / documentation / fuseki2 / fuseki-security.html
blob: e496f8726840c1735eea0cbc9481bc30ce3ef954 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>Apache Jena - Security in Fuseki2</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
<link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
<link href="/css/jena.css" rel="stylesheet" type="text/css">
<link rel="shortcut icon" href="/images/favicon.ico" />
<script src="https://code.jquery.com/jquery-2.2.4.min.js"
integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
crossorigin="anonymous"></script>
<script src="/js/jena-navigation.js" type="text/javascript"></script>
<script src="/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/js/improve.js" type="text/javascript"></script>
</head>
<body>
<nav class="navbar navbar-default" role="navigation">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/index.html">
<img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
</div>
<div class="collapse navbar-collapse navbar-ex1-collapse">
<ul class="nav navbar-nav">
<li id="homepage"><a href="/index.html"><span class="glyphicon glyphicon-home"></span> Home</a></li>
<li id="download"><a href="/download/index.cgi"><span class="glyphicon glyphicon-download-alt"></span> Download</a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-header">Tutorials</li>
<li><a href="/tutorials/index.html">Overview</a></li>
<li><a href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li>
<li><a href="/documentation/notes/index.html">How-To's</a></li>
<li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
<li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
<li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
<li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
<li class="divider"></li>
<li class="dropdown-header">References</li>
<li><a href="/documentation/index.html">Overview</a></li>
<li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
<li><a href="/documentation/assembler/index.html">Assembler</a></li>
<li><a href="/documentation/tools/index.html">Command-line tools</a></li>
<li><a href="/documentation/rdfs/">Data with RDFS Inferencing</a></li>
<li><a href="/documentation/geosparql/index.html">GeoSPARQL</a></li>
<li><a href="/documentation/inference/index.html">Inference API</a></li>
<li><a href="/documentation/javadoc.html">Javadoc</a></li>
<li><a href="/documentation/ontology/">Ontology API</a></li>
<li><a href="/documentation/permissions/index.html">Permissions</a></li>
<li><a href="/documentation/extras/querybuilder/index.html">Query Builder</a></li>
<li><a href="/documentation/rdf/index.html">RDF API</a></li>
<li><a href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li>
<li><a href="/documentation/io/">RDF I/O</a></li>
<li><a href="/documentation/rdfstar/index.html">RDF-star</a></li>
<li><a href="/documentation/shacl/index.html">SHACL</a></li>
<li><a href="/documentation/shex/index.html">ShEx</a></li>
<li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
<li><a href="/documentation/tdb/index.html">TDB</a></li>
<li><a href="/documentation/tdb2/index.html">TDB2</a></li>
<li><a href="/documentation/query/text-query.html">Text Search</a></li>
</ul>
</li>
<li class="drop down">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/documentation/javadoc.html">All Javadoc</a></li>
<li><a href="/documentation/javadoc/arq/">ARQ</a></li>
<li><a href="/documentation/javadoc_elephas.html">Elephas</a></li>
<li><a href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
<li><a href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li>
<li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
<li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
<li><a href="/documentation/javadoc/permissions/">Permissions</a></li>
<li><a href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li>
<li><a href="/documentation/javadoc/shacl/">SHACL</a></li>
<li><a href="/documentation/javadoc/tdb/">TDB</a></li>
<li><a href="/documentation/javadoc/text/">Text Search</a></li>
</ul>
</li>
<li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon glyphicon-question-sign"></span> Ask</a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/getting_involved/index.html">Contribute</a></li>
<li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
<li class="divider"></li>
<li class="dropdown-header">Project</li>
<li><a href="/about_jena/about.html">About Jena</a></li>
<li><a href="/about_jena/architecture.html">Architecture</a></li>
<li><a href="/about_jena/citing.html">Citing</a></li>
<li><a href="/about_jena/team.html">Project team</a></li>
<li><a href="/about_jena/contributions.html">Related projects</a></li>
<li><a href="/about_jena/roadmap.html">Roadmap</a></li>
<li class="divider"></li>
<li class="dropdown-header">ASF</li>
<li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
<li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
<li><a href="http://www.apache.org/security/">Security</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</li>
<li id="edit"><a href="https://github.com/apache/jena-site/edit/main/source/documentation/fuseki2/fuseki-security.md" title="Edit this page on GitHub"><span class="glyphicon glyphicon-pencil"></span> Edit this page</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="row">
<div class="col-md-12">
<div id="breadcrumbs">
<ol class="breadcrumb">
<li><a href='/documentation'>DOCUMENTATION</a></li>
<li><a href='/documentation/fuseki2'>FUSEKI2</a></li>
<li class="active">FUSEKI SECURITY</li>
</ol>
</div>
<h1 class="title">Security in Fuseki2</h1>
<p>Fuseki2 webapp provides security by using <a href="http://shiro.apache.org/">Apache Shiro</a>.
This is controlled by the configuration file <code>shiro.ini</code> located at
<code>$FUSEKI_BASE/shiro.ini</code>. If not found, the server initializes with a default
configuration. This can then be replaced or edited as required. An existing file
is never overwritten by the server.</p>
<p>In its default configuration, SPARQL endpoints are open to the public but
administrative functions are limited to <code>localhost</code>. One can access it via
<code>http://localhost:.../...</code>. Or the according IPv4 or IPv6 address, for example
<code>127.0.0.1</code> (IPv4), or <code>[::1]</code> (IPv6). Access from an external machine is not
considered as localhost and thus restricted.</p>
<p>Once Shiro has been configured to perform user authentication it provides a
good foundation on which the <a href="../permissions/">Jena Permissions</a> layer can be
configured. There is an <a href="../permissions/example.html">example implementation</a>
documented in the Jena Permissions section. The Jena Permissions layer can be
used to restrict access to specific graphs or triples within graphs.</p>
<p>A simple example to enable basic user/password authentication is shown in the
default <code>shiro.ini</code> configuration. The default admin user is <code>admin</code> and the
password is <code>pw</code>. This can be changed directly in the INI file. Note that this
setup is not recommended for production for various reasons (no TLS, passwords
in plain text etc.), consult the <a href="https://shiro.apache.org/configuration.html#Configuration-INISections">Shiro
INI</a>
documentation for best practices.</p>
<p>As mentioned above, the default setup only restricts access to the admin pages
of Fuseki. To avoid clashes with dataset names, the namespace of the admin
interface starts with &lsquo;/$/', consult the <a href="../fuseki2/fuseki-server-protocol.html">Fuseki HTTP Administration Protocol
</a> documentation for more details.</p>
<p>If access to SPARQL endpoints should be restricted, additional <a href="https://shiro.apache.org/web.html#Web-WebINIconfiguration">Shiro
ACLs</a> are necessary.
This is done in the <code>[urls]</code> section of the configuration. As an example,
restricting access to the <code>../query</code> SPARQL endpoint for all datasets on Fuseki
could be done with this wildcard pattern:</p>
<p><code>/**/query = authcBasic,user[admin]</code></p>
<p>Anonymous SPARQL queries would no longer be possible in this example.</p>
<p>Again, please consult the <a href="https://shiro.apache.org/">Apache Shiro</a> website for
details and more sophisticated setups. The default configuration of Fuseki is
kept simple but is <em>not</em> recommended for setups where sensitive data is
provided.</p>
<p>Changing the security setup requires a server restart.</p>
<p>Contributions of more examples are very welcome.</p>
<h2 id="examples">Examples</h2>
<p>The shipped <code>shiro.ini</code> has additional comments.</p>
<h3 id="the-default-configuration">The default configuration.</h3>
<p>This is a minimal configuration for the default configuration.</p>
<pre><code>[main]
localhost=org.apache.jena.fuseki.authz.LocalhostFilter
[urls]
## Control functions open to anyone
/$/server = anon
/$/ping = anon
## and the rest are restricted to localhost.
## See above for 'localhost'
/$/** = localhost
/**=anon
</code></pre>
<h3 id="simple-userpassword">Simple user/password</h3>
<p>This extract shows the simple user/password setup.</p>
<p>It adds a <code>[users]</code> section and changes the <code>/$/**</code> line in <code>[urls]</code></p>
<pre><code>[users]
admin=pw
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
/$/** = authcBasic,user[admin]
# Everything else
/**=anon
</code></pre>
</div>
</div>
</div>
<footer class="footer">
<div class="container" style="font-size:80%" >
<p>
Copyright &copy; 2011&ndash;2022 The Apache Software Foundation, Licensed under the
<a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
</p>
<p>
Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of
The Apache Software Foundation.
<br/>
<a href="https://privacy.apache.org/policies/privacy-policy-public.html"
>Apache Software Foundation Privacy Policy</a>.
</p>
</div>
</footer>
<script type="text/javascript">
var link = $('a[href="' + this.location.pathname + '"]');
if (link != undefined)
link.parents('li,ul').addClass('active');
</script>
</body>
</html>