<p>
<ac:structured-macro ac:macro-id="e917705b-73ae-4db1-8db9-3b84827a5213" ac:name="tocFedora " ac:schema-version="1"/>
</p>
<p>Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP). Providers are consulted after the initial container authentication but before finer-grained authentication (such as role resolution) is applied.</p>
The <p>The repository configuration file (repository.json) contains the class name of an authentication provider (under "providers") as well as the roles to be used when starting the provider module. By default, the orgthe <a href="https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/BypassSecurityServletAuthenticationProvider.java">org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider exists BypassSecurityServletAuthenticationProvider</a> exists in the configuration file, as it doesn't rely on an external PrincipalProvider and offers the simplest authentication model (the module always gives access privileges to the session).</p>
Different <p>Different derivatives of the PrincipalProvider class can be initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.
PrincipalProvider
The </p>
<h2>PrincipalProvider</h2>
<p>The interface that custom providers must implement. Several providers exist in the codebase.</p>
A <p>A principal provider must be configured in repo.xml. The following examples shows configuration for a PrincipalProvider class ContainerRolesPrincipalProvider.</p>
<ac:structured-macro ac:macro-id="3dd45200-3f05-459d-967d-6d4d1cc00167" ac:name="code" ac:schema-version="1">
<ac:parameter ac:name="language">text</ac:parameter>
<ac:parameter ac:name="title">repo.xml</ac:parameter>
<ac:plain-text
...
Container Roles Principal Provider
ContainerRolesPrincipalProvider -body><![CDATA[<bean name="containerRolesPrincipalProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider"
p:roleNames="my-new-tomcat-role"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="containerRolesPrincipalProvider"/>]]></ac:plain-text-body>
</ac:structured-macro>
<h3>Container Roles Principal Provider</h3>
<p>ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.</p>
New <p>New roles must be specified in web.xml as shown below. The default role is fedoraUser.</p>
<ac:structured-macro ac:macro-id="6ea9754c-c162-4155-9a0f-c95a2f1ff320" ac:name="code" ac:schema-version="1">
<ac:parameter ac:name="language">text</ac:parameter>
<ac:parameter ac:name="title">web.xml</ac:parameter>
<ac:plain-text
...
Please refer to the -body><![CDATA[<auth-constraint>
<role-name>fedoraUser</role-name>
<role-name>fedoraAdmin</role-name>
<role-name>my-new-tomcat-role</role-name>
</auth-constraint>]]></ac:plain-text-body>
</ac:structured-macro>
<p>Please refer to the <ac:link>
<ri:page ri:content-title="How to Configure Servlet Container Authentication"/>
<ac:plain-text-link-body><![CDATA[servlet container authentication document]]></ac:plain-text-link-body>
</ac:link> for further configuration details.</p>
...
<h3>HTTP Header Principal
...
Provider</h3>
HttpHeaderPrincipalProvider <p>HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.</p>
<ac:structured-macro ac:macro-id="aeedc1df-425b-49f2-902f-e46bd0f9462b" ac:name="code" ac:schema-version="1">
<ac:parameter ac:name="title
...
Delegate Header Principal Provider
DelegateHeaderPrincipalProvider ">repo.xml</ac:parameter>
<ac:plain-text-body><![CDATA[ <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
<property name="headerName" value="some-header"/>
<property name="separator" value=","/>
</bean>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="headerProvider"/>]]></ac:plain-text-body>
</ac:structured-macro>
<h3>
<span style="color: rgb(0,0,0);">Delegate Header Principal Provider</span>
</h3>
<p>
<span style="color: rgb(0,0,0);">DelegateHeaderPrincipalProvider is a Principal Provider that uses the On<code>On-Behalf-OfOf</code> HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.</span>
</p>
<ac:structured-macro ac:macro-id="519b3d8e-0dd2-46bd-8473-65b38966a022" ac:name="code" ac:schema-version="1">
<ac:parameter ac:name="title
...
Implementation Details
The Fedora class org">repo.xml</ac:parameter>
<ac:plain-text-body><![CDATA[<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="delegatedPrincipalProvider"/>]]></ac:plain-text-body>
</ac:structured-macro>
<h2>
<span style="color: rgb(0,0,0);">Implementation Details</span>
</h2>
<p>The Fedora class <a href="https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/ServletContainerAuthenticationProvider.java">org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains ServletContainerAuthenticationProvider</a> contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext. </p>
<p> </p>