This Confluence wiki site, maintained by DuraSpace prior to the recent merger with LYRASIS, will transition from the duraspace.org domain to the lyrasis.org domain on Saturday, Nov 16 beginning at approximately 7pm ET. A period of downtime of 2-3 hours is expected. After the transition, this wiki will be available at https://wiki.lyrasis.org/. All links to duraspace.org wiki pages will be redirected to the correct lyrasis.org URL. If you have questions prior to or following the transition please contact: wikihelp@lyrasis.org.
Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP). Providers are consulted after the initial container authentication but before finer-grained authentication (such as role resolution) is applied.

...

HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests instead of the repo.xml file..

Code Block
titlerepo.xml
    <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
    <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
        <property name="headerName" value="some-header"/>
        <property name="separator" value=","/>
    </bean>
	<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
          p:fad-ref="fad" p:principalProviders-ref="headerProvider"/>

Implementation Details

The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.

...