Versions Compared

Old Version 1

changes.mady.by.user Peter Eichman

Saved on

compared with

New Version 2

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Despite the name, fcrepo.auth.webac.groupAgent.baseUri actually has nothing to do with agent groups. In this context "group" is referring to an externally defined group (again, from a system like LDAP). From Fedora's perspective, that sort of group is treated as a single agent, and the URI is not dereferenced.

If the object of an acl:agent statement looks like a URI, these properties are used to strip off the base part of that URI, leaving a simple string username.

Example

Fedora is started with -Dfcrepo.auth.webac.userAgent.baseUri=http://example.com/users/

There is an ACL authorization with the following triple:

No Format
<> acl:agent <http://example.com/users/jdoe>

When determining the list of agents for that authorization, the WebAC authorization delegate will strip off the base URI and return the string username jdoe. That is what will be compared with the security principles from whatever authentication system is configured.