Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP).
Principal Providers are implemented as servlet filters that are added to the Shiro filter chain between the initial authentication filter (ServletContainerAuthFilter) and the final authorization filter (WebACFilter).
Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.
The container roles provider and header provider should not be used at the same time, and doing so will lead to undefined results. |
ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
fcrepo.auth.principal.roles.enabled
to true
.fcrepo.auth.principal.roles.list
to a comma separated list of rolesauth-constraint
element to contain your custom rolesFor example, your fcrepo.properties file might look like this:
fcrepo.auth.principal.roles.enabled=true fcrepo.auth.principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2 |
And your web.xml would be updated to look like this:
<web-app> ... <security-constraint> ... <auth-constraint> <role-name>fedoraUser</role-name> <role-name>fedoraAdmin</role-name> <role-name>tomcat-role-1</role-name> <role-name>tomcat-role-2</role-name> </auth-constraint> </securty-constraint> </web-app> |
HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.
fcrepo.auth.principal.header.enabled
to true
.fcrepo.auth.principal.header.name
to the name of the header that contains the principalsfcrepo.auth.principal.header.separator
to the character that is used to separate multiple principals in the headerFor example, your fcrepo.properties file might look like this:
fcrepo.auth.principal.header.enabled=true fcrepo.auth.principal.header.name=x-principal-header fcrepo.auth.principal.header.separator=, |
DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of
HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.
This provider is enabled by default. To disable it, set fcrepo.auth.principal.delegate.enabled
to false
.