Fedora has authentication and authorization enabled by default. If this does not fit your use case, this page describes how you can disable either authorization, so that authenticated access is still required, or authorization and authentication, so that access to Fedora is entirely unrestricted.
Bypass Authorization
Disabling authorization in Fedora does not preclude the use of container authentication to secure Fedora. However, container roles are not used for any further authorization within Fedora. All requests are treated as superusers.
To disable authorization simple set the fcrepo.auth.enabled
configuration property to false
, using either a configuration file or -D
argument.
Disable Authentication and Authorization
Authentication is baked into the web.xml
. In order disable it, you must either edit the web.xml
to look like this example, or instruct your container to load an alternate web.xml
. The following describes how to load an alternate web.xml
in Tomcat and Jetty.
Tomcat
Add an entry to your $CATALINA_HOME/conf/server.xml
that instructs the webapp to load a different web.xml
. Assuming Fedora is deployed as the fcrepo webapp, the entry should look like this:
<Server> ... <Service> ... <Engine> ... <Host> <Context docBase="fcrepo" altDDName="webapps/fcrepo/WEB-INF/no-auth-web.xml" /> ... </Host> </Engine> </Service> </Server>
Alternatively, you can add a context file to the $CATALINA_HOME/conf/Catalina/localhost
directory. The name of the file should be the webapp name plus .xml
. Assuming Fedora is deploy as the fcrepo webapp, then file would be called $CATALINA_HOME/conf/Catalina/localhost/fcrepo.xml
and contain
<Context altDDName="webapps/fcrepo/WEB-INF/no-auth-web.xml" />
Jetty
- Save a copy of the no-auth-web.xml to
$JETTY_BASE/etc/fcrepo-no-auth-web.xml
. - Add an entry to your
$JETTY_BASE/
webapp/fcrepo.xml
, instructing Jetty to load a different web.xml:
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <Configure class="org.eclipse.jetty.webapp.WebAppContext"> ... <Set name="descriptor"><SystemProperty name="jetty.base" default="."/>/etc/fcrepo-no-auth-web.xml</Set> </Configure>
Unauthenticated Access
acl:agentClass
of foaf:Agent
(per the "Public Access (All Agents)" section of the SOLID WebAC spec). However, since authentication is presumed to be external to Fedora, the exact way you configure your repository to allow these requests will be dependent on the other features of your deployment (e.g., your application server, reverse proxy, etc.).Future Plans
That being said, the Shiro architecture brings the possibility of bringing Shiro's authentication realms into Fedora's configuration. Long-term, this opens the door to allowing Fedora to control the presence or absence of authentication for individual resources.