...
The repository configuration file (repository.json) contains the class name of an authentication provider (under "providers") as well as the roles to be used when starting the provider module. By default, the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider exists in the configuration file, as it doesn't rely on an external PrincipalProvider and provides offers the simplest authentication model (the module always gives access privileges to the session).
New roles must be specified in web.xml. The default role is fedoraUser.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<auth-constraint>
<role-name>fedoraUser</role-name>
<role-name>fedoraAdmin</role-name>
<role-name>my-new-tomcat-role</role-name>
</auth-constraint> |
The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider (configured from repository.json) contains contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.
...