Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HTTP Basic auth Fuseki (shiro.ini) + CORS restriction

See original GitHub issue

Version

4.7.0-SNAPSHOT

Question

When securing a data set with authentication, it is in theory possible to query this from another domain using XMLHttpRequest

This could be useful to use e.g. the commercial YASGUI with Geo plug-in to visualise data from a log-in protected Fuseki.

To protect our installation, we changed the shiro.ini to:

# Everything else
/**=authcBasic,user[secretuser]

However, it is somewhat more complicated to enable CORS with authentication: ^1

the OPTIONS “pre-flight” request must be answered without the need to log in. Currently, Fuseki fails at this step

curl -vv 'http://localhost:3030/ds/' -X OPTIONS -H 'Access-Control-Request-Headers: authorization' -H 'Origin: http://yasgui.triply.cc'

< HTTP/1.1 401 Unauthorized

it would need to respond with

< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://yasgui.triply.cc
< Access-Control-Allow-Credentials: true

has anyone faced this issue before? can it be fixed in Fuseki?

I know it is possible to work around with a reverse proxy that “hacks in” the proper response… but that is rather cumbersome

Issue Analytics

State:
Created a year ago
Comments:5 (5 by maintainers)

Top GitHub Comments

1reaction

afscommented, Sep 8, 2022

FYI: building fuseki with https://github.com/apache/jena/pull/1520 does not seem to be related to this issue

There was a discussion on Jetty lists about CORS+auth but I couldn’t find a raised issue. https://www.eclipse.org/lists/jetty-users/msg08899.html

It was good to do it anyway. It’s unfortunate Fuseki needs its own copy at the moment.

My long term plan is to consolidate on Fuseki Main and not have a webapp except keeping the WAR file around. i.e. change the standalone JAR. Fuseki modules will add the admin and UI functionality - this has been prototyped but still some way from being ready.

We don’t get any benefit from being a webapp - the war file has always seemed to be little used compared to the standalone jar.

What with containers and cloud, FusekiMain with a choice of modules makes more sense - c.f. Apache Httpd.

0reactions

afscommented, Sep 12, 2022

Hi @SimonBin,

That’ll do - if I understand CORS and the code (big if), the filter only shortcuts preflight OPTIONS, not all OPTIONS. That’s good.

Fuseki/Main will need a similar change and also reverse the auth and CORS filters which I’ll do.

Top Results From Across the Web

Security in Fuseki2 - Apache Jena

The Jena Permissions layer can be used to restrict access to specific graphs or triples within graphs. A simple example to enable basic...

CORS on Fuseki2 - gists · GitHub

Two simple steps · Copy a shiro.ini from github Fuseki2 into webapp · In webapp/WEB-INF/web.xml, insert the following before first filter block :....

subject:"Re\: fuseki" - The Mail Archive

Hello, So I took some time to implement a program to do backups following a policy. To implement such a program I think...

Newest 'shiro' Questions - Page 4 - Stack Overflow

Apache Shiro is a Java security framework that performs authentication, authorization, cryptography, ... Limit Jena Fuseki's CURL access to localhost only.

Fuseki 2 Shiro Authentication not working properly

Encryption is currently handled by Apache httpd as a reverse proxy. Authentication works only partly: I adapted shiro.ini as indicated by the comments...