URI resolution fix in AuthorizationFilter

Test fixes

Author: namedgraph

…ment-hierarchy/PATCH-non-existing-403.sh …tp-tests/document-hierarchy/PATCH-404.shhttp-tests/document-hierarchy/PATCH-non-existing-403.sh renamed to http-tests/document-hierarchy/PATCH-404.sh http-tests/document-hierarchy/PATCH-non-existing-403.sh renamed to http-tests/document-hierarchy/PATCH-404.sh

@@ -37,4 +37,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   "${END_USER_BASE_URL}non-existing/" \
    --data-binary "$update"
 ) \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PATCH-empty-item.sh

@@ -55,4 +55,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "$item" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/POST-404.sh

@@ -27,4 +27,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
 <http://s> <http://p> <http://o> .
 EOF
 ) \
-| grep -q "$STATUS_NOT_FOUND"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PUT-no-slash-308.sh

@@ -7,6 +7,24 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create test container
+
+container=$(create-container.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test Container" \
+  --slug "test-container" \
+  --parent "$END_USER_BASE_URL")
+
 # add an explicit read/write authorization for the parent since the child document will inherit it
 
 create-authorization.sh \
@@ -15,14 +33,14 @@ create-authorization.sh \
   -p "$OWNER_CERT_PWD" \
   --label "Write base" \
   --agent "$AGENT_URI" \
-  --to "$END_USER_BASE_URL" \
+  --to "$container" \
   --read \
   --write
 
-invalid_item="${END_USER_BASE_URL}no-slash"
-
 # check URI without trailing slash gets redirected
 
+invalid_item="${container}no-slash"
+
 (
 curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java

@@ -43,7 +43,7 @@
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.container.PreMatching;
 import jakarta.ws.rs.core.Response;
-import java.net.URI;
+import org.apache.jena.irix.IRIx;
 import java.util.HashSet;
 import java.util.Set;
 import org.apache.jena.query.ParameterizedSparqlString;
@@ -170,7 +170,9 @@ public Model authorize(ContainerRequestContext request, Resource agent, Resource
         // special case for PUT requests to non-existing document: allow if the agent has acl:Write acess to the *parent* URI
         if (request.getMethod().equals(HttpMethod.PUT) && accessMode.equals(ACL.Write))
         {
-            URI parentURI = URI.create(accessTo.getURI()).resolve("..");
+            // Use Jena's IRIx for RFC 3986-compliant resolution - java.net.URI.resolve("..") is non-compliant
+            // (RFC 3986 section 5.2.4 step 2D requires ".." to be removed, but java.net.URI leaves it literal)
+            IRIx parentURI = IRIx.create(accessTo.getURI()).resolve("..");
             Resource parent = ResourceFactory.createResource(parentURI.toString());
             log.debug("Requested document <{}> not found, falling back to parent URI <{}>", parent, parentURI);