The Fedora Policy Enforcement Extension Point (PEP extension) allows you to implement one interface to enforce access control over your Fedora repository. This interface, the FedoraPolicyEnforcementPoint, has callbacks that allow you to restrict ModeShape operations and filter search results. After following these configuration steps, Fedora's REST endpoints will respond with a 403 response codes when the requested action is unauthorized by the PEP.
Notes for Implementions
ModeShape Login
All ModeShape operations are enforced by the PEP, with the exception of the login action. Since Fedora's ModeShape login is routine, often anonymous and container-driven, the particulars are handled for you. Login is always permitted to REST clients, if you employ a PEP.
Caching
Step-by-step:
- Open the repo.xml file in your Fedora web application.
- Add your PEP implementation as a bean in this file and give it the id of "pep".
- Now add the Fedora ModeShape Authorization Provider bean. (see repo.xml example)
- Make sure that your modeshapeRepofactory bean has the depends-on attribute pointing at the authenticationProvider (see repo.xml example).
- Open your repository.json file.
- Add org.fcrepo.auth.ServletContainerAuthenticationProvider as a provider in the security section. (see repository.json example)
Example repo.xml (repository and security beans)
<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean" <bean name="pep" class="your.own.implementation.PEP"/> <bean name="authenticationProvider" class="org.fcrepo.auth.ServletContainerAuthenticationProvider"> |
|---|
Example repository.json (security section)
"security" : { |
|---|
