Overview (Apache Jena - Security Permissions 3.14.0)

Packages
Package	Description
org.apache.jena.permissions	JenaSecurity is a SecurityEvaluator interface and a set of dynamic proxies that apply that interface to Jena Graphs, Models, and associated methods and classes.
org.apache.jena.permissions.example
org.apache.jena.permissions.example.readonly	Example code for creating a read only model/graph
org.apache.jena.permissions.graph	Secured implementation of the Graph interface and associated classes.
org.apache.jena.permissions.graph.impl
org.apache.jena.permissions.impl
org.apache.jena.permissions.model
org.apache.jena.permissions.model.impl
org.apache.jena.permissions.query
org.apache.jena.permissions.query.rewriter
org.apache.jena.permissions.utils

JenaSecurity is a SecurityEvaluator interface and a set of dynamic proxies that apply that interface to Jena Graphs, Models, and associated methods and classes.

The SecurityEvaluator class must be implemented. This class provides the interface to the authentication results (e.g. getPrincipal() ) and the authorization system.

Create a SecuredGraph by calling Factory.getInstance( SecurityEvaluator, String, Graph );
Create a SecuredModel by calling Factory.getInstance( SecurityEvaluator, String, Model )
It is not recommended that you use the Jena ModelFactory.createModelForGraph( SecuredGraph ) See Differences Between Graph and Model below for reasons.

See SecurityEvaluator documentation for description of cascading security checks
Secured methods are annotated with: @sec.graph for permissions required on the graph to execute the method. @sec.triple for permissions required on the associated triples (if any) to execute the method.
It is possible to implement a SecurityEvaluator that does not enforce security at the triple level. See SecurityEvaluator documentation for details

Differences Between `Graph` and `Model`

The Graph interface does not have the concept of "update". Thus all updates are implemented as a delete and an insert. The Model interface does have the concept of update as evidenced by the replace() method in the RDFList class. This difference means that a Model created by calling ModelFactory.createModelForGraph( SecuredGraph ) will yield a model that evaluates Update actions differently from one created with Factory.getInstance( SecurityEvaluator, modelIRI, model) .

Models created by the Jena ModelFactory will require that the user have both delete and create permissions on the underlying graph to perform the update. And will delete the existing triple before attempting to create the new one. Since the graph interface does not have visibility to the model's request for update these are, to the graph, separate events. It is possible that the delete may succeed while the create fails.
Models created by the JenaSecurity Factory will require that the user have update permissions on the underlying model to perform the update. As long as the user has the update permission on the graph, and the triple where required, the update is performed as a single event.

This is the well documented case of differences between the two secured model creation methods. For this reason it is recommended that the model be created with the Factory.getInsance() method.

Apache Jena - Security Permissions 3.14.0

Differences Between Graph and Model

Differences Between `Graph` and `Model`