Authentication for Virtuoso HTTP POST/PUT - security

I tried to execute an INSERT statement for an RDF triple in Virtuoso using its web-based SPARQL endpoint (http://localhost:8890/sparql/):
INSERT DATA
{
GRAPH <http://my.graph>
{
<http://test.com/someid> <http://namespace.ref#someVar> 123
}
}
but I got
Virtuoso 42000 Error SR186:SECURITY: No permission to execute procedure DB.DBA.SPARQL_INSERT_DICT_CONTENT with user ID 107, group ID 107
I was able to run the same statement through my DB editor that uses a JDBC driver on port 1111, using the DBA login.
The web interface/service insert was successful after I ran the following as a DBA through port 1111:
grant execute on DB.DBA.SPARQL_INSERT_DICT_CONTENT to "SPARQL";
grant execute on DB.DBA.SPARQL_INSERT_DICT_CONTENT to SPARQL_UPDATE;
However, I would like to revoke those privileges from user SPARQL, which I understand is associated with the web interface, and send HTTP POST/PUT/DELETE requests with supplied user credentials using digest authentication. Is that possible and how? I went to this page of the manual but it was empty.

The OP's goal is discussed in the new location of the manual page they originally tried to visit. (More details are on the product site, than are reproduced below.)
Virtuoso reserves the path /sparql-auth/ for a SPARQL service supporting authenticated SPARUL (a/k/a SPARQL-Update). This endpoint allows specific SQL accounts to perform SPARUL over the SPARQL protocol. To be allowed to log in via SQL or ODBC and update physical triples, a user must be granted SPARQL_UPDATE privileges. To grant this role:
Go to the Virtuoso administration UI, i.e., http://host:port/conductor
Log in as user dba
Go to System Admin → User Accounts → Users
Click the Edit link
Set User type to SQL/ODBC Logins and WebDAV.
From the list of available Account Roles, select SPARQL_UPDATE and click the >> button to add it to the right-hand list.
Click the Save button.

This procedure, which I picked up here, worked for me:
Logged in as dba, under System Admin > User Accounts,
grant SPARQL_UPDATE to "SPARQL"

Related

IBM Lotus java XPage rest service - does it require signing for each user?

I have made a Java ExtLib XPage custom REST service (CustomServiceBean) database basing on this solution: https://setza-projects.atlassian.net/wiki/spaces/RS/pages/363593730/IBM+Domino
I modified it though to use NotesCalendar class to create, update and delete events & resource reservations (so everything in fact is processed by the calendar, I'm only using raw documents for reading $Rooms in names.nsf and $Reservations in the reservations database). Everything works fine so far, it uses current session to open the calendar. I have some concerns regarding the permissions though.
What I want (and need):
Ability to create calendar events & reservations as SPECIFIC users, I don't want just one "main" user that will create everything. I want each IBM Lotus user to be able to login with their credentials and create or update their calendar events.
This database with XPage will be deployed on our client's servers, so I don't want to require some special configuring for each user in order to be able to access my REST service.
I set up a new local installation of Lotus Server and created a new application using my XPage database as template, and I couldn't access the API neither with admin account or other accounts:
HTTP JVM: CLFAD0229E: Security exception occurred servicing request for: /db.nsf/services.xsp/api - HTTP Code: 403. For more detailed information, please consult error-log-0.xml
As soon as I added my admin account to Server configuration -> Security -> Sign or run unrestricted methods and operations, it started working again. Not only for the admin account, but also for other accounts that were just created with an internet password and weren't assigned any specific roles or permissions. I didn't even sign the database.
So my question is, is this enough in order to get it working on client's production server? It kind of makes no sense to me, but it worked on my local server so I'm not sure, I'm new to IBM Lotus and I'm just doing an integration REST service.
If not, how could I do it, so I wouldn't really need to put the end client (Lotus server owner) into the hassle of configuring each user, while still being able to access the API as any Lotus user (providing the username and password)? I can either log-in as each indepentend user, or perform some impersonation with a "main" privileged account (create entries in someone else's calendar as him), although I think there is no way to do it in Java, because .getCalendar is a method of the Session class, I tried using createSession(), but I wasn't able to.
Every notes application needs to be signed by an administrator with an ID known to the customers environment. The Id which is used to sign the db must have the appropriate rights, through the security tab in the server document. If the app is not signed properly, the app won't run. Once the app is signed, it runs in the authorized users session with the users rights.

Sitecore website: show/hide menu items based on logged in user role

I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.

Oracle - Granting privileges to user for session

I have an application using Oracle 9i as the database and I would like to grant update/delete/insert etc.. rights to only the session/connection used by this application.
I would like all other connections through excel, access, etc.. to be in a read-only state so it prevents the users from "accidentally" changing the data through these applications.
If I have all users start out with read-only rights then when they connect to this application, I would like to either call a specific stored procedure that would grant the user the proper rights only for that session though. Once they disconnect, the user would be back to read-only rights.
I have seen in other posts that you can add a trigger to the login so you can check if the connection is from application1.exe then you can do things or if they connect from 'excel.exe' you can stop them.
This is close to what I need to do but not quite.
My long worded question is "Can I grant rights to only a session/connection which would then allow that user the ability to update data based on a specific application running?"
Thank you for your patience in reading through this question.
Karl
create user A and grant him permissions to execute DML operations
create user B and grant only read permissions
Use user A inside your application
Use user B in Excel, access, etc

Connectons API: Posting on behalf of others / Impersonation

I'm currently implementing a solution, where an external tool is making posts to the Connections API. These calls are made via basic authentication with a service account configured in the external tool.
However, I need the posted content in Connections to appear as posted by another user than the service account (users ids/emails are known to the external tool). Is there any way, the service account can post on behalf of others/impersonate users when posting to the API?
You need to add support for your the external user account to the right websphere roles
These Application / Roles are:
WidgetContainer trustedExternalApplication, admin
You can follow this article to set it up on your system.
In order to give a user administrative access to widgets, we can assign some privileges to one of the users - fadams.
You need to start the deployment manager on the quickstart.
Connect to the system via SSH
sudo /etc/init.d/ConServer_DM_was.init start
Navigate to https://${HOSTNAME}:9044/ibm/console/login.do?action=secure
Enter User ID : wasadmin
Enter Password : lcsecret
Click Login
Expand Applications > Application Types
Click on WebSphere Enterprise Applications
Select one of the Applications (from the table)
Application Role
Homepage admin
WidgetContainer trustedExternalApplication admin
Communities widget-admin admin
Profiles admin
Click on Homepage
Click on "Security role to user/group mapping"
Select One of the Roles (Admin)
Click Map Users
Enter Search String - fadams
Click Search
Click the Right Arrow
Click Ok
Click Ok
Click Save
Repeat for Each Application and Each Role in the Table Above
....
Click System Administration on the Left
Click on Nodes
Check localhostNode01
Click Synchronize
The Servers are now synchronized with your updates to the roles.
Click Servers > Server Types > WebSphere application servers
Check conServer
Click Restart
Once you see the Green arrow again, the connections server is fully restarted
Navigate to https://${HOSTNAME}:444/homepage
Login as fadams with your password
You should see administration on the left side of your connections instance
http://www-10.lotus.com/ldd/appdevwiki.nsf/dx/How_to_update_the_quickstart_to_support_Widgets

Limit access to Jenkins web dashboard

At the moment I'm running Jenkins on my Mac Mini and everybody in my local network can access the web dashboard at the address http://<JenkisIP>:8080. How can I setup username and password credentials to limit the access to it?
You want to check the enable security feature in the configure menu, select "Jenkins's own user database" as the security realm and then alter the security matrix to suit your requirements.
For the first run, give everyone full access. Allow users to sign up, create your own account (if you don't have one) and then give full privileges to that account and remove all privileges to anonymous.
All the information you need should be found here:
https://wiki.jenkins-ci.org/display/JENKINS/Standard+Security+Setup

Resources