Fedora Principal Provider Extensions allow a Fedora repository to pull in user security and role designations from other sources, LDAP being a common source. They are usually executed after the inital container authentication but before finer-grained authentication such as role resolution. There are several PrincipalProvider modules available, this wiki page documents just two of them.

Container Roles Principal Provider

ContainerRolesPrincipalProvider is the default module used by Fedora Commons to provide added authentication/roles to a repository.The roles are read by the ContainerRolesPrincipalProvider module from the repo.xml file located at (not sure?) and are stored internally to the instance using the getPrincipals() member function. Calls to the module to test the existence of a given username/role are through the equals() member function that returns true if the given username/role is in the list of principal roles read from the configuration file or false if it was not present, or true if a username/role has authentication and false if they fail authentication..

HTTP Header Principal Provider

HttpHeaderPrinciaplProvider is an example Principal Provider that obtains its initial set of principals from HTTP header requests instead of from the repo.xml file. As with the other PrincipalProvider classes, it processes a given username/role against the list of principals using the equals() member function and returns a boolean value to signify if the given username/role was present in the principals (true is present, false if otherwise).