Page tree
Skip to end of metadata
Go to start of metadata

Use Case 1:  External Authentication and Authorization

Title (goal)
 External Authentication and Authorization
Primary Actor developer, consuming applications
Scope Organizational, black box
Level 
Story

1.  User on a browser clicks on a link to see information about a digital object in Fedora.  The request will pass through a few layers of front-end applications before it reaches Fedora.

    • No user information is submitted with the request;  it's an anonymous request from an unauthenticated user.

2.  Fedora receives the anonymous request for the resource (object, datastream, datastream metadata, etc.).  It asks the external PDP if this resource is accessible;  no role attributes are delivered to the PDP (an anonymous, public request).

    • Is the source IP for the request is passed along, for access control?
    • PDP needs access to the object;  policy may be evaluated based on a properties of the object.
    1. Resource is available:  PDP responds with "yes".  Fedora sends back the requested resource, with a HTTP 200 response code.  Work is done.
    2. Resource has restricted access.  PDP responds with "no".  Fedora sends back a HTTP 401:  Unauthorized.

At this point, the front-end application decides what to do with that 401:  in our case, it will redirect the user to an authenticating web service, protected by Shibboleth;  the authentication web service will do the Shibboleth dance, then redirect the user back to the front end web application, with user attributes included.

3.  The front-end web web application will re-request the resource from Fedora, this time with user attribute information.

4.  Fedora receives the authenticated request for the resource.  It asks the PDP again if the resource is accessible, this time passing along user attributes.

    1. Resource is available to the user:  PDP responds with "yes". Fedora sends back the requested resource, with a HTTP 200 response code.  Work is done.
    2. Resource is not available to the user:  PDP responds with "no".  Fedora sends back a HTTP 403:  Forbidden (final, request should not be re-submitted).

At this point, the front-end application decides what to do with the 403:  show an error page, mask with a 404, etc.

Use Case 2:  Resource Index/Triplestore queries

Title (goal)
 Obtain filtered list of objects
Primary Actor administrator, consuming applications
Scope component
Level 
Story

An administrator or piece of software needs to get a list of all the top-level objects in a particular collection, or created under the auspices of a given project.

They run the following ITQL query against the Resource Index:

select $fco from <#ri>
where $fco <info:fedora/fedora-system:def/model#hasModel> <info:fedora/1711.dl:CModelFirstClassObject>
and $fco <http://digital.library.wisc.edu/1711.dl/rdf/1.0/relations#isMemberOfProject> <hdl:1711.dl/AfricaFocus>

where the project ID is "AfricaFocus".

Alternatively:

select $fco from <#ri>
where $fco <info:fedora/fedora-system:def/model#hasModel> <info:fedora/1711.dl:CModelFirstClassObject>
and $fco <info:fedora/fedora-system:def/relations-external#isMemberOfCollection> <info:fedora/1711.dl:CollectionHLATextile>

where the collection ID is "CollectionHLATextile".

As a variation, the actor may just retrieve count of objects that match the criteria.

Use Case 3:  Resource Index/Triplestore queries

Title (goal)
 Obtain list of objects that contain a given datastream
Primary Actor administrator, consuming applications
Scope component
Level 
Story

An administrator or piece of software needs to get a list of all the objects that contain a given datastream.

They run the following iTQL query against the Resource Index to find all objects that contain a MASTER datastream:

select $obj $ds from <#ri>
where $obj <info:fedora/fedora-system:def/view#disseminates> $ds
and $ds <info:fedora/fedora-system:def/view#disseminationType> <info:fedora/*/MASTER> in <#ri>

Other Use Cases of Interest

  1. University of North Carolina at Chapel Hill
  2. Yale University
  3. Use Case: Distributed authentication and authorization
  • No labels

2 Comments

  1. Is iTQL actually a requirement here, or simply a powerful query language?

    1. Not a requirement, just a powerful query language.  Any way to get the same info will work (the easier and more flexible, the better).