1. Download the Latest Version of the Islandora Drupal Filter
Download the Drupal Filter files from the Release Notes and Downloads page. Extract the contents of the archive and make sure you choose the correct JAR file for your version of Fedora.
Place the file in:
cp fcrepo-drupalauthfilter-3.x.x.jar $FEDORA_HOME/tomcat/webapps/fedora/WEB-INF/lib
2. Make the Fedora Repository Aware of the New Filter
Navigate to $FEDORA_HOME/server/config and open the file jaas.conf in a text editor.
To allow the Drupal Servlet Filter to authenticate against Drupal’s database, insert the following reference to the DrupalServlet filters class files:
3. Configure the Drupal Servlet Filter
Create the file filter-drupal.xml in $FEDORA_HOME/server/config using the following text as a template (or download a sample file from https://raw.github.com/Islandora/islandora_drupal_filter/master/filter-drupal.xml), then modify the attributes of the <connection> tag to match the server, port, database name, username and password of your site's Drupal database.
Fedora requires a separate <connection> entry for each connecting Drupal site.
<?xml version="1.0" encoding="UTF-8"?>
<!--File to hold drupal connection info for the FilterDrupal servlet filter. For multisite drupal installs you can include multiple
connection elements. We will query all the databases and assume any user in any drupal db with the same username and password are the same
user. We will gather all roles for that user from all databases. This is a potential security risk if a user in one drupal db has the same
username and password as another user in a separate drupaldb. We are also assuming all drupal dbs to be mysql. This file should be located
in the same directory as the fedora.cfcg file-->
<connection server="localhost" dbname="[drupal_database]" user="[drupal_db_user]" password="[drupla_db_password]" port="3306">
<!--Different sql statement for each connection. This is for drupal multisites that are setup using one database with
table prefixes. We don't do this but some people might.-->
SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON
u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
If you use the Drupal servlet filter to connect to multiple Drupal databases there is potential for users with the same username in each database to access each others private objects. To avoid this, use the Drupal LDAP module. A Drupal multi-site environment utilizing the LDAP module for all sites ensures a unique username/site configuration.
4. Stop and Restart Fedora
This will enable the Drupal Servlet Filter.
5. Test the Drupal Servlet Filter
Unlike Islandora 6, Islandora 7 will test your Fedora connection for you. To verify that the servlet filter is working properly, go to the Islandora configuration page (admin/islandora/configure) and look for the green checkmark. A successful installation will look like this:
An unsuccessful installation will look like this:
If you see this error, there are two possible sources for the failure:
- You do not have the correct fcrepo-
- Your filter-drupal.xml is incorrect or missing
The islandora_drupal_filter passes the username of 'anonymous' through to Fedora for unauthenticated Drupal Users. A user with the name of 'anonymous' may have XACML policies applied to them that are meant to be applied to Drupal users that are not logged in or vice-versa. This is a potential security issue that can be plugged by creating a user named 'anonymous' and restricting access to the account.