Date: Fri, 29 Mar 2024 12:03:12 -0400 (EDT) Message-ID: <819881879.333.1711728192651@lyrasis1-roc-mp1> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_332_582290248.1711728192650" ------=_Part_332_582290248.1711728192650 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Fedora Authorization Delegates allow you to implement one interface to e= nforce access control over your Fedora repository. This interface, Fed= oraAuthorizationDelegate, has callbacks that allow you to restrict ModeShap= e operations and filter search results. After following these configuration= steps, Fedora's REST endpoints will respond with 403 response codes when t= he requested action is unauthorized by the authorization delegate.
Use of an authorization delegate and Fedora-specific authorization is op= tional. You can also configure Fedora to run without API security. You may = want to only enforce container authentication or leave the service running = completely unsecured, behind a firewall for instance. For details, see = ;How to configure= Fedora without authorization.
The authorization delegate is not consulted when servlet credentials ide= ntify a client with the fedoraAdmin role. When the contain= er has authenticated the connected client as a fedoraAdmin= , all actions are permitted and PEP is bypassed.
There are two reference implementations available:
You can also create an authorization delegate implementation and perform= security checks differently, possibly including calls to remote services.<= /p>
Two files contain the configuration options for authorization delegates:=
<bean name=3D"modeshapeRepofactory" clas= s=3D"org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean" <bean name=3D"fad" class=3D"your.own.imple= mentation"/> <bean name=3D"authenticationProvider" class=3D= "org.fcrepo.auth.ServletContainerAuthenticationProvider"> |
---|
"security" : { |
---|