Versions Compared

Old Version 4

changes.mady.by.user Jon Roby

Saved on

compared with

New Version 5

changes.mady.by.user Jon Roby

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Work In Progress

 

Fedora Principal Provider Extensions allow a Fedora repository to pull in user security and role designations from other sources, LDAP being a common source. They are usually executed after the inital initial container authentication but before finer-grained authentication such as role resolution. There are several PrincipalProvider modules available, this wiki page documents just two of themsome of them.

 

Operation

The Principal Provider Extensions are configured from the repository.json file located at <WEBAPP>/WEB-INF/classes/config/minimal-default when using the "one click" solution and (possibly) the same path when used in a robust repository solution. The repository.json file contains the class name of authentication provider (under "providers") as well as the roles to be used when starting the provider module (the roles which a query is checked against). By default the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider is used for this layer of security, as it doesn't rely on an external PrincipalProviders and provides the simplest authentication model (The module always authenticates and gives access privileges to the session).

The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider (configured from repository.json) contains a list of PrincipalProvider derivative instances that are called for every authentication query ( ServletContainerAuthenticationProvider.authenticate() ). The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.

Different derivatives of the Principal Provider class can initialize in different ways, either through the repositories.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.

 

PrincipalProvider

The parent class of all the Principal Provider instances, does no credential initialization or authentication.

Container Roles Principal Provider

ContainerRolesPrincipalProvider is the default a module used by Fedora Commons to provide added authentication/roles to a repository.The roles are read by the ContainerRolesPrincipalProvider module from the repo.xml file located at (not sure?) by ContainerRolesPrincipalProvider.setRoleNames() and are stored internally to the instance using the getPrincipals() member function. Calls to the module to test the existence of a given username/role are through the equals() member function that returns true if the given username/role is in the list of principal roles read from the configuration file or false if it was not present, or true if a username/role has authentication and false if they fail authentication..

...