Old Release

This documentation covers an old version of Fedora. Looking for another version? See all documentation.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Overview

Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP). They are usually executed after the initial container authentication but before finer-grained authentication (such as role resolution) is applied.

Implementation Details

The repository configuration file (repository.json) contains the class name of an authentication provider (under "providers") as well as the roles to be used when starting the provider module. By default, the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider exists in the configuration file, as it doesn't rely on an external PrincipalProvider and offers the simplest authentication model (the module always gives access privileges to the session).

New roles must be specified in web.xml as shown below. The default role is fedoraUser.

web.xml
<auth-constraint>
  <role-name>fedoraUser</role-name>
  <role-name>fedoraAdmin</role-name>
  <role-name>my-new-tomcat-role</role-name>
</auth-constraint>

 

The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.

Different derivatives of the Principal Provider class can initialize in different ways, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.

PrincipalProvider

The interface that custom providers must implement. Several principal providers are available.

Container Roles Principal Provider

ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from repo.xml. 

HTTP Header Principal Provider

HttpHeaderPrincipalProvider is an example Principal Provider that obtains its initial set of principals from HTTP header requests instead of the repo.xml file.

  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.