How to design tomcats security constraints to restrict manipulation in any form?

[blank-supportgis]

I'm trying to limit access to the rdf4j server based on credentials according to section 3 on this page.

If I now execute the following code with a non authorized user, I'm getting a "302 Forbidden" in return, as it should be.

Statement stmt = ...
HTTPRepository repo = new HTTPRepository("...");
repo.setUsernameAndPassword("b, "b");
try (RepositoryConnection con = repo.getConnection()) {
	con.begin();
	con.remove(stmt);
	con.commit();
}

However, the following code that uses a SPARQL query works. I guess, all SPARQL code simply always results in a POST.

	public void delete(Namespace ns, String id) {
		HTTPRepositoryrepo = new HTTPRepository("...");
		repo.setUsernameAndPassword("b", "b");
		String qry = "DELETE { \r\n"
				+ "  ?sub ?p ?o .\r\n"
				+ "  ?s1 ?p1 ?obj .\r\n"
				+ "} \r\n"
				+ "WHERE { \r\n"
				+ "   ?sub ?p ?o .\r\n"
				+ "   OPTIONAL {\r\n"
				+ "      ?s1 ?p1 ?obj .\r\n"
				+ "   }\r\n"
				+ "}";
		try (RepositoryConnection con = repo.getConnection()) {
			if (!id.startsWith(ns.getName())) {
				id = ns.getName() + id;
			}
			String idStr = '<' + id + '>';
			qry = qry.replaceAll("\\?sub", idStr).replaceAll("\\?obj", idStr);
			Update tq = con.prepareUpdate(QueryLanguage.SPARQL, qry);
			tq.execute();
		}
	}

How could I design the security constraints to properly disallow manipulation or deletion, no matter it's appearance.

Security constraints in the web.xml of rdf4j-server:

	<login-config>
        	<auth-method>BASIC</auth-method>
        	<realm-name>rdf4j</realm-name>
   	</login-config>
   	<!--
   	<security-constraint>
	  <web-resource-collection>
	    <web-resource-name>Local admin for Sesame Workbench</web-resource-name>
	    <url-pattern>/*</url-pattern>
	  </web-resource-collection>
	  <auth-constraint>
	    <role-name>administrators</role-name>
	  </auth-constraint>
	</security-constraint>   
   	-->
   	<security-constraint>
	    <web-resource-collection>
		<web-resource-name>SPARQL query access to the repository. The last part is the repository name. It must be adjusted if the repository's name changes.</web-resource-name>
		<url-pattern>/repositories/foo</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		<role-name>instanceApprovers</role-name>
		<role-name>instanceDeletors</role-name>
		<role-name>instanceEditors</role-name>
		<role-name>instanceViewers</role-name>
		<role-name>templateViewers</role-name>
		<role-name>templateEditors</role-name>
		<role-name>templateDeletors</role-name>
		<role-name>userAdministrators</role-name>
	    </auth-constraint>
	</security-constraint>
	
	<security-constraint>
	    <web-resource-collection>
		<web-resource-name>Read access to the repository. The last part is the repository name. It must be adjusted if the repository's name changes.</web-resource-name>
		<url-pattern>/repositories/foo/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		<role-name>instanceApprovers</role-name>
		<role-name>instanceDeletors</role-name>
		<role-name>instanceEditors</role-name>
		<role-name>instanceViewers</role-name>
		<role-name>templateViewers</role-name>
		<role-name>templateEditors</role-name>
		<role-name>templateDeletors</role-name>
		<role-name>userAdministrators</role-name>
	    </auth-constraint>
	</security-constraint>
	
	<security-constraint>
	    <web-resource-collection>
		<web-resource-name>Read access to the repository. The last part is the repository name. It must be adjusted if the repository's name changes.</web-resource-name>
		<url-pattern>/repositories/foo/*</url-pattern>
		<http-method>POST</http-method>
		<http-method>PUT</http-method>
		<http-method>DELETE</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		<role-name>instanceApprovers</role-name>
		<role-name>instanceDeletors</role-name>
		<role-name>instanceEditors</role-name>
		<role-name>templateEditors</role-name>
		<role-name>templateDeletors</role-name>
	    </auth-constraint>
	</security-constraint>
	   	

	<security-role>
	    <description>
		Read access to repository data
	    </description>
	    <role-name>instanceApprovers</role-name>
	</security-role>
   	<security-role>
	    <description>
		Read access to repository data
	    </description>
	    <role-name>instanceViewers</role-name>
	</security-role>
	<security-role>
	    <description>
		Write access to repository data
	    </description>
	    <role-name>instanceEditors</role-name>
	</security-role>
	<security-role>
	    <description>
		Deleting repository data
	    </description>
	    <role-name>instanceDeletors</role-name>
	</security-role>
	<security-role>
	    <description>
		Read access to repository data
	    </description>
	    <role-name>templateViewers</role-name>
	</security-role>
   	<security-role>
	    <description>
		Read access to repository data
	    </description>
	    <role-name>templateEditors</role-name>
	</security-role>
	<security-role>
	    <description>
		Write access to repository data
	    </description>
	    <role-name>templateDeletors</role-name>
	</security-role>
	<security-role>
	    <description>
		Write access to repository data
	    </description>
	    <role-name>userAdministrators</role-name>
	</security-role>

[abrokenjester]

If you want to allow queries (including queries sent using POST) but not SPARQL updates, you should make sure that both GET and POST access is granted on /repositories/foo (this is the query endpoint) but only GET access on /repositories/foo/statements (the POST on this url is what's used for SPARQL updates).

As an aside I've just noticed that that section 3 you mentioned is a partly out of date: it still mentions the use of the SYSTEM repository for creation and deletion of repositories. This is now obsolete. Instead, repositories are created and deleted by means of a PUT or DELETE, respectively, on /repositories/foo. Modification of a repo configuration happens via the /reposories/foo/config endpoint.

See https://rdf4j.org/documentation/reference/rest-api/ for an overview of all endpoints and what they do.

[blank-supportgis]

Thanks!

This means, if I want instanceViewers and templateViewers to perform SPARQL queries but not -updates, I would add the following constraint?

	<security-constraint>
	    <web-resource-collection>
		<web-resource-name>Read access to the repository. The last part is the repository name. It must be adjusted if the repository's name changes.</web-resource-name>
		<url-pattern>/repositories/mdb/statements</url-pattern>
		<http-method>GET</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		<role-name>instanceViewers</role-name>
		<role-name>templateViewers</role-name>
		<role-name>userAdministrators</role-name>
	    </auth-constraint>
	</security-constraint>

[abrokenjester]

I'm a bit rusty on using this myself to be honest, but yes that looks correct.