...
| Table of Contents |
|---|
Fedora Principal Provider Extensions Providers allow a Fedora repository to pull in user security and role designations from other sources , LDAP being a common source. They are usually executed (e.g. LDAP). Providers are consulted after the initial container authentication but before finer-grained authentication (such as role resolution. There are several PrincipalProvider modules available, this wiki page documents just some of them.
Operation
) is applied.
The repository configuration file (The repository.json file ) contains the class name of an authentication provider (under "providers") as well as the roles to be used when starting the provider module (the roles which a query is checked against). By default the , the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider is used for this layer of security exists in the configuration file, as it doesn't rely on an external PrincipalProviders PrincipalProvider and provides offers the simplest authentication model (The the module always authenticates and gives access privileges to the session).The Fedora class
Different derivatives of the PrincipalProvider class can be initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.
PrincipalProvider
The interface that custom providers must implement. Several providers exist in the codebase.
A principal provider must be configured in repo.xml. The following examples shows configuration for a PrincipalProvider class ContainerRolesPrincipalProvider.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean name="containerRolesPrincipalProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider" p:roleNames="my-new-tomcat-role"/> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider" p:fad-ref="fad" p:principalProviders-ref="containerRolesPrincipalProvider"/> |
Container Roles Principal Provider
ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
New roles must be specified in web.xml as shown below. The default role is fedoraUser.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<auth-constraint>
<role-name>fedoraUser</role-name>
<role-name>fedoraAdmin</role-name>
<role-name>my-new-tomcat-role</role-name>
</auth-constraint> |
Please refer to the servlet container authentication document for further configuration details.
HTTP Header Principal Provider
HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.
| Code Block | ||
|---|---|---|
| ||
<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
<property name="headerName" value="some-header"/>
<property name="separator" value=","/>
</bean>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="headerProvider"/> |
Implementation Details
The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains (configured from repository.json) contains a list of PrincipalProvider derivative instances that are called for every authentication query ( ServletContainerAuthenticationProvider.authenticate() ). The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.
Different derivatives of the Principal Provider class can initialize in different ways, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.
PrincipalProvider
The interface that the providers must implement.
Container Roles Principal Provider
ContainerRolesPrincipalProvider is a module used by Fedora Commons to provide added authentication/roles to a repository.The roles are read by the ContainerRolesPrincipalProvider module from repo.xml.
HTTP Header Principal Provider
HttpHeaderPrincipalProvider is an example Principal Provider that obtains its initial set of principals from HTTP header requests instead of from the repo.xml file.