This documentation refers to an earlier version of Islandora. https://wiki.duraspace.org/display/ISLANDORA/Start is current.

Skip to end of metadata
Go to start of metadata

1. Download the Latest Version of the Islandora Drupal Filter

Download the Drupal Filter files from the Release Notes and Downloads page. Extract the contents of the archive and make sure you choose the correct JAR file for your version of Fedora.

Place the file in:

cp fcrepo-drupalauthfilter-3.x.x.jar $FEDORA_HOME/tomcat/webapps/fedora/WEB-INF/lib

2. Make the Fedora Repository Aware of the New Filter

Navigate to $FEDORA_HOME/server/config and open the file jaas.conf in a text editor.
 
To allow the Drupal Servlet Filter to authenticate against Drupal’s database, insert the following reference to the DrupalServlet filters class files: 

fedora-auth
{
org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule required
debug=true;
ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
debug=true;
};

3. Configure the Drupal Servlet Filter

Create the file filter-drupal.xml in $FEDORA_HOME/server/config using the following text as a template (or download a sample file from https://raw.github.com/Islandora/islandora_drupal_filter/master/filter-drupal.xml), then modify the attributes of the <connection>  tag to match the server, port, database name, username and password of your site's Drupal database.

Fedora requires a separate <connection> entry for each connecting Drupal site.


<?xml version="1.0" encoding="UTF-8"?>
<!--File to hold drupal connection info for the FilterDrupal servlet filter. For multisite drupal installs you can include multiple
connection elements.  We will query all the databases and assume any user in any drupal db with the same username and password are the same
user.  We will gather all roles for that user from all databases.  This is a potential security risk if a user in one drupal db has the same
username and password as another user in a separate drupaldb.  We are also assuming all drupal dbs to be mysql.  This file should be located
in the same directory as the fedora.cfcg file-->

<FilterDrupal_Connection>
  <connection server="localhost" dbname="[drupal_database]" user="[drupal_db_user]" password="[drupla_db_password]" port="3306">
    <sql>
                  <!--Different sql statement for each connection.  This is for drupal multisites that are setup using one database with
                  table prefixes.  We don't do this but some people might.-->
                  SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON
                  u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
    </sql>
  </connection>
</FilterDrupal_Connection>


If you use the Drupal servlet filter to connect to multiple Drupal databases there is potential for users with the same username in each database to access each others private objects. To avoid this, use the Drupal LDAP module. A Drupal multi-site environment utilizing the LDAP module for all sites ensures a unique username/site configuration.

4. Stop and Restart Fedora

This will enable the Drupal Servlet Filter.

$FEDORA_HOME/tomcat/bin/shutdown.sh

$FEDORA_HOME/tomcat/bin/startup.sh

5. Test the Drupal Servlet Filter

Unlike Islandora 6, Islandora 7 will test your Fedora connection for you. To verify that the servlet filter is working properly, go to the Islandora configuration page (admin/islandora/configure) and look for the green checkmark. A successful installation will look like this:

An unsuccessful installation will look like this:

If you see this error, there are two possible sources for the failure:

  • You do not have the correct fcrepo-drupalauthfilter-xxxx.jar
  • Your filter-drupal.xml is incorrect or missing
The islandora_drupal_filter passes the username of 'anonymous' through to Fedora for unauthenticated Drupal Users. A user with the name of 'anonymous' may have XACML policies applied to them that are meant to be applied to Drupal users that are not logged in or vice-versa. This is a potential security issue that can be plugged by creating a user named 'anonymous' and restricting access to the account.
  • No labels

4 Comments

  1. When I log into my Fedora 3.5 repository using the 8080/fedora/admin client,  I am presented with a "Connect to a Repository" screen with a drop-down menu "http/https", and fields labeled "Host" "Port" "Context".  I am able to login using http localhost 8080 fedora and manage the repository, but cannot login using any combination of my Islandora Drupal password, whether, MD5 hashed or unhashed.  I have made the various modifications to the Fedora server as outlined above.  Am I missing something terribly obvious here?

  2. Steven - those instructions applied to Islandora 6, but are not necessary for Islandora 7. Step 5 is updated now. Apologies for the confusion.

  3. (lightbulb) Testing the Drupal servlet filter in step 5 requires the Islandora module to be installed, which only happens in the next section of this chapter! (grey lightbulb)

  4. Perhaps I'm missing something on this documentation, but I encountered an issue related to the following detail documented in Islandora 6.x, but not 7.x:

     

    If you specify an IP address other than localhost in your Islandora configuration you will need to delete the following Fedora policies:

    • deny-apim-if-not-localhost.xml 
    • deny-reloadPolicies-if-not-localhost.xml

    These policies can usually be found in /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default

     

    Please note that this can be found on the following Page for Islandora 6.x: Installing & Configuring the Islandora Module and Servlet Filter

    My apologies if this was intended to be deprecated, and can be found elsewhere in the documentation for 7.x.  However, it did help me resolve an issue.