Versions Compared

Old Version 19

changes.mady.by.user Osman Din

Saved on

compared with

New Version Current

changes.mady.by.user Andrew Woods

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP). Providers are consulted after the initial container authentication but before finer-grained authentication (such as role resolution) is applied.

...

Different derivatives of the Principal Provider PrincipalProvider class can initialize in different waysbe initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.

...

The interface that custom providers must implement. Several principal providers are available.providers exist in the codebase.

A principal provider must be configured in repo.xml. The following examples shows configuration for a PrincipalProvider class ContainerRolesPrincipalProvider.

Code Block
languagetext
titlerepo.xml
<bean name="containerRolesPrincipalProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider"
          p:roleNames="my-new-tomcat-role"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
          p:fad-ref="fad" p:principalProviders-ref="containerRolesPrincipalProvider"/>

Container Roles Principal Provider

ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from repoweb.xml. 

New roles must be specified in web.xml as shown below. The default role is fedoraUser.

...

Please refer to the servlet container authentication document for further configuration details.

HTTP Header Principal Provider

HttpHeaderPrincipalProvider is an example a Principal Provider that obtains its initial set of principals from HTTP header requests instead of the repo.xml file..

Code Block
titlerepo.xml
    <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
    <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
        <property name="headerName" value="some-header"/>
        <property name="separator" value=","/>
    </bean>
	<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
          p:fad-ref="fad" p:principalProviders-ref="headerProvider"/>

Implementation Details

The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.

...