Current Release

This documentation covers the current version of Fedora. Looking for another version? See all documentation.

Fedora has authentication and authorization enabled by default. If this does not fit your use case, this page describes how you can disable either authorization, so that authenticated access is still required, or authorization and authentication, so that access to Fedora is entirely unrestricted.

Bypass Authorization

Running Fedora without authorization means that the REST API is available to any request coming from the container and lacks any finer-grained security. This is useful when Fedora is running behind another application that connects to Fedora and implements its own security checks. This configuration is also useful for temporary demonstrations and for running software tests that do not require security.

Disabling authorization in Fedora does not preclude the use of container authentication to secure Fedora. However, container roles are not used for any further authorization within Fedora. All requests are treated as superusers.

To disable authorization simple set the fcrepo.auth.enabled configuration property to false, using either a configuration file or -D argument.

Disable Authentication and Authorization

Disabling authentication and authorization means that anyone can make unauthenticated requests to Fedora and they will be allowed. For instructions on only disabling only authorization, see Bypass Authorization.

Authentication is baked into the web.xml. In order disable it, you must either edit the web.xml to look like this example, or instruct your container to load an alternate web.xml. The following describes how to load an alternate web.xml in Tomcat and Jetty.

Tomcat

Add an entry to your $CATALINA_HOME/conf/server.xml that instructs the webapp to load a different web.xml. Assuming Fedora is deployed as the fcrepo webapp, the entry should look like this:

server.xml
<Server>
  ...
  <Service>
    ...
    <Engine>
      ...
      <Host>
        <Context docBase="fcrepo" altDDName="webapps/fcrepo/WEB-INF/no-auth-web.xml" />
        ...
      </Host>
    </Engine>
  </Service>
</Server>

Alternatively, you can add a context file to the $CATALINA_HOME/conf/Catalina/localhost  directory. The name of the file should be the webapp name plus .xml. Assuming Fedora is deploy as the fcrepo webapp, then file would be called $CATALINA_HOME/conf/Catalina/localhost/fcrepo.xml  and contain

fcrepo.xml
<Context altDDName="webapps/fcrepo/WEB-INF/no-auth-web.xml" />

Jetty

  1. Save a copy of the no-auth-web.xml to $JETTY_BASE/etc/fcrepo-no-auth-web.xml.
  2. Add an entry to your $JETTY_BASE/webapp/fcrepo.xml, instructing Jetty to load a different web.xml:
jetty.xml
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  ...
  <Set name="descriptor"><SystemProperty name="jetty.base" default="."/>/etc/fcrepo-no-auth-web.xml</Set>
</Configure>

Unauthenticated Access

Unauthenticated access differs from disabling authentication entirely in that it allows some resources to require authentication, while not requiring authentication for others. Fedora will accept unauthenticated requests and apply authorizations with the acl:agentClass of foaf:Agent (per the "Public Access (All Agents)" section of the SOLID WebAC spec). However, since authentication is presumed to be external to Fedora, the exact way you configure your repository to allow these requests will be dependent on the other features of your deployment (e.g., your application server, reverse proxy, etc.).

Future Plans

That being said, the Shiro architecture brings the possibility of bringing Shiro's authentication realms into Fedora's configuration. Long-term, this opens the door to allowing Fedora to control the presence or absence of authentication for individual resources.


  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.