When the WebAC module is in effect, resource access is based on the presence of a triple with the
acl:accessControl predicate. For any resource that has an RDF graph that does not contain a triple with that property, the WebAC authorization module will look in the parent container until it reaches the root resource. If there is still no
acl:accessControl property, then the Authorization Delegate will inspect a filesystem-based policy.
The default policy is defined to block all access:
In most cases, this default is appropriate, but it is also possible to override this
acl:Authorization definition with a custom policy.
In order to override this policy, it is recommended to add a configuration value to JAVA_OPTS, pointing to the custom authorization policy:
When overriding the filesystem-based authorization, be aware that the WebAC module expects that file to be in Turtle format.
For instance, in order to grant read access to the entire repository:
Please note that any use of
acl:accessTo will use a different syntax to refer to Fedora locations. Here, the root Fedora resource is written
<info:fedora/>, since this file is not aware of the HTTP location of the repository. If, for instance, a default policy is to apply to all locations under
/fcrepo/rest/acls, then the
acl:accessTo triple would refer to
<info:fedora/acls>. This way, the default policy is portable across hostname or port changes.