Fuseki2 provides security by using
Apache Shiro. This is controlled by a
shiro.ini located at
If not found, the server initializes this with an preset initial
configuration. This can then be replaced or edited as required. This file
is never overwritten by the server.
The default is that the SPARQL protocols are open but the administrative
actions are limited to the localhost. "localhost" is determined by
connecting using the
http://localhost:.../.... It must be "localhost", or
127.0.0.1 (IPv4), or
[::1] (IPv6), not the external IP address of the
Once shiro has been configured to perform user authentication it provides a good foundation on which to implement the Jena Permissions layer. There is an example implementation documented in the Jena Permissions section. The Jena Permissions layer can be used to restrict access to specific graphs or triples within graphs.
There is an example to enable simple user/password security; this is only
suitable where the connection is secure, is shown
shiro.ini file with
defaults user 'admin' and password 'pw'. These should be changed before
This has some use where the server is in a secure network environment with additional restrictions on external requests also applied. behind a reverse proxy and the connection can have addition security (e.g. no access to URLs starting '/$/').
The Apache Shiro website has documentation for creating more sophisticated setups.
The security provided in Fuseki is not intended to replace existing mechanisms. Security can also be given to a Fuseki server outside the server using Apache Httpd or Nginx as a reverse proxy then limiting the fuseki server to only process requests from the local machine by controlling ports.
Changing the security setup requires a server restart.
Contributions of more examples are very welcome.
shiro.ini has additional comments.
This is a minimal configuration for the default configuration.
[main] localhost=org.apache.jena.fuseki.authz.LocalhostFilter [urls] ## Control functions open to anyone /$/status = anon /$/ping = anon ## and the rest are restricted to localhost. ## See above for 'localhost' /$/** = localhost /**=anon
This extract shows the simple user/password setup.
It adds a
[users] section and changes the
/$/** line in
[users] admin=pw [urls] ## Control functions open to anyone /$/status = anon /$/ping = anon /$/** = authcBasic,user[admin] # Everything else /**=anon