Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

While the WebAC spec requires that the objects of acl:agent statements be URIs, the current (4.7.5) Modeshape implementation of Fedora allows string literals as the objects of acl:agent statements. In addition, internally, the implementation does all of its agent comparisons assuming the agent is a simple string username, and not a full URI. This was done to facilitate easier integration with existing authentication systems (e.g., LDAP) that only provide a username and not a URI.

...

Note

Despite the name, fcrepo.auth.webac.groupAgent.baseUri actually has nothing to do with, and should not be confused with, WebAC agent groups. In Instead, in this context "group" is referring to an externally defined group (again, from a system like LDAP). From Fedora's perspective, that sort of group is treated as a single agent, and the URI is not dereferenced.

...