...
Additional principal provider filters can also be added to this filter chain to do additional authorization processing. For instance, the in the case where there is an external authentication system like Shibboleth that adds the user's security principals as an HTTP header to the request, you can configure the HTTP Header Principal Provider to extract the relevant principals and add them to the current user.
...
This filter does the main work of allowing or prohibiting requests. Based on the HTTP method (and possibly other details in the headers or body of the request) of the incoming request, and the set of WebACPermission objects that the WebACAuthorizingRealm has determined for the current user, this filter with will either reject the request with a "403 Forbidden" HTTP response, or allow the request to continue on to the Fedora servlet.
...