This feature is disabled by default, and requires configuration in order to enable it. See the allowed list configuration section below.
When referencing content hosted outside of the repository, you can create an empty binary to act as a placeholder for the external content, specifying the URL of the external content.
Instead of supplying the binary in the body of the request, you provide a Link header which uses the rel="http://fedora.info/definitions/fcrepo#ExternalContent" and specifies where to get the resource and how to handle it.
Link: <http://example.org/some/content>; rel="http://fedora.info/definitions/fcrepo#ExternalContent"; handling="proxy"; type="image/tiff"
The Fedora API specifies 3 methods of handling external content, all of which are supported.
- copy - Copy the binary from the provided URI and then treat it as a normal internal LDP-NR.
- redirect - On requests for the LDP-NR provide a redirect (302 Found or 307 Temporary Redirect) to the external URI.
- proxy - On requests for the LDP-NR proxy the request through the Fedora server the client with the same interaction as an internally stored LDP-NR.
If you provide a type= parameter to the Link header this content type will be used, however if type= is omitted, then the server attempts to determine the Content-Type.
If the external URI has a file prefix (ie. local disk storage) then application/octet-stream is returned.
If the external URI has a http prefix then a HEAD request is made to the URI provided in the Link header to retrieve the Content-type header, if this header is not returned the resource cannot be added to the repository.
The URI of the external content must be absolute. Relative paths and paths using relative path modifiers ("../") will result in the operation failing with a 400 status code.
Examples:
Proxying a file on the local server.
Creating the proxy LDP-NR
> curl -i -H"Link: <file:///local/file/storage/wonderful.tiff>; rel=\"http://fedora.info/definitions/fcrepo#ExternalContent\"; handling=\"proxy\"; type=\"image/tiff\"" -XPUT -ufedoraAdmin:fedoraAdmin http://localhost:8080/rest/test_proxy_local_file HTTP/1.1 201 Created Date: Fri, 29 Jun 2018 14:15:54 GMT Set-Cookie: JSESSIONID=aedg7ilmx9zxugi8x9em7l8h;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 14:15:54 GMT ETag: "0e409de61b53a864ad3a87f4faf884d88cf041ff" Last-Modified: Fri, 29 Jun 2018 14:15:55 GMT Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:metadata>; rel="describedby"; anchor="http://localhost:8080/rest/test_proxy_local_file" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Content-Location: file:/local/file/storage/wonderful.tiff Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:acl>; rel="acl" Location: http://localhost:8080/rest/test_proxy_local_file Content-Type: text/plain Content-Length: 48 Server: Jetty(9.3.1.v20150714) http://localhost:8080/rest/test_proxy_local_file
Results of a request
> curl -i http://localhost:8080/rest/test_proxy_local_file -ufedoraAdmin:fedoraAdmin HTTP/1.1 200 OK Date: Fri, 29 Jun 2018 16:40:48 GMT Set-Cookie: JSESSIONID=zhy7150ie8vo1bsc9ycb1ghu1;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:40:48 GMT ETag: "0e409de61b53a864ad3a87f4faf884d88cf041ff" Last-Modified: Fri, 29 Jun 2018 14:15:55 GMT Content-Type: image/tiff Accept-Ranges: bytes Content-Disposition: attachment; filename=""; creation-date="Fri, 29 Jun 2018 14:15:55 GMT"; modification-date="Fri, 29 Jun 2018 14:15:55 GMT"; size=14761236 Link: <http://www.w3.org/ns/ldp#Resource>;rel="type" Link: <http://www.w3.org/ns/ldp#NonRDFSource>;rel="type" Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:acl>; rel="acl" Content-Location: file:/Users/whikloj/Desktop/wonderful.tiff Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:metadata>; rel="describedby" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Accept-External-Content-Handling: copy,redirect,proxy Allow: DELETE,HEAD,GET,PUT,OPTIONS Cache-Control: no-transform, must-revalidate, max-age=0 Content-Length: 14761236 Server: Jetty(9.3.1.v20150714) ...<BODY CONTENT>...
Redirect to an external URI
Creating the redirect LDP-NR
> curl -i -H"Link: <http://localhost:8111/wonderful.jp2>; rel=\"http://fedora.info/definitions/fcrepo#ExternalContent\"; handling=\"redirect\"; type=\"image/jp2\"" -XPUT -ufedoraAdmin:fedoraAdmin http://localhost:8080/rest/test_redirect_remote_file HTTP/1.1 201 Created Date: Fri, 29 Jun 2018 16:11:16 GMT Set-Cookie: JSESSIONID=1rv3ytcylpb093ra1mhznx9dp;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:11:16 GMT ETag: "009b79832d68313dd45ca6aab0528b34f9054713" Last-Modified: Fri, 29 Jun 2018 16:11:16 GMT Link: <http://localhost:8080/rest/test_redirect_remote_file/fcr:metadata>; rel="describedby"; anchor="http://localhost:8080/rest/test_redirect_remote_file" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Content-Location: http://localhost:8111/wonderful.jp2 Link: <http://localhost:8080/rest/test_redirect_remote_file/fcr:acl>; rel="acl" Location: http://localhost:8080/rest/test_redirect_remote_file Content-Type: text/plain Content-Length: 52 Server: Jetty(9.3.1.v20150714) http://localhost:8080/rest/test_redirect_remote_file
Results of a request
> curl -i http://localhost:8080/rest/test_redirect_remote_file -ufedoraAdmin:fedoraAdmin -L HTTP/1.1 307 Temporary Redirect Date: Fri, 29 Jun 2018 16:11:59 GMT Set-Cookie: JSESSIONID=cg9yt3o4whnmmxe9vllwerdz;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:11:59 GMT ETag: "009b79832d68313dd45ca6aab0528b34f9054713" Last-Modified: Fri, 29 Jun 2018 16:11:16 GMT Content-Type: image/jp2 Accept-Ranges: bytes Content-Disposition: attachment; filename=""; creation-date="Fri, 29 Jun 2018 16:11:16 GMT"; modification-date="Fri, 29 Jun 2018 16:11:16 GMT"; size=305517 Link: <http://www.w3.org/ns/ldp#Resource>;rel="type" Link: <http://www.w3.org/ns/ldp#NonRDFSource>;rel="type" Link: <http://localhost:8080/rest/test_redirect_remote_file/fcr:acl>; rel="acl" Content-Location: http://localhost:8111/wonderful.jp2 Link: <http://localhost:8080/rest/test_redirect_remote_file/fcr:metadata>; rel="describedby" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Accept-External-Content-Handling: copy,redirect,proxy Allow: DELETE,HEAD,GET,PUT,OPTIONS Location: http://localhost:8111/wonderful.jp2 Content-Length: 305517 Server: Jetty(9.3.1.v20150714) HTTP/1.1 200 OK Date: Fri, 29 Jun 2018 16:12:59 GMT Server: Apache/2.4.29 (Unix) PHP/7.2.4 Last-Modified: Fri, 29 Jun 2018 16:09:29 GMT ETag: "4a96d-56fca128f2040" Accept-Ranges: bytes Content-Length: 305517 ...<BODY CONTENT>...
Copy a remote resource
Create the LDP-NR using external content
> curl -i -H"Link: <http://localhost:8111/wonderful.jp2>; rel=\"http://fedora.info/definitions/fcrepo#ExternalContent\"; handling=\"copy\"; type=\"image/jp2\"" -XPUT -ufedoraAdmin:fedoraAdmin http://localhost:8080/rest/test_copy_remote_file HTTP/1.1 201 Created Date: Fri, 29 Jun 2018 16:19:45 GMT Set-Cookie: JSESSIONID=1hmga57f6q5hh1td785dghsjfh;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:19:45 GMT ETag: "d9cc4f3b266a19f0c225356a5caabb9080d680b4" Last-Modified: Fri, 29 Jun 2018 16:19:45 GMT Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:metadata>; rel="describedby"; anchor="http://localhost:8080/rest/test_copy_remote_file" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:acl>; rel="acl" Location: http://localhost:8080/rest/test_copy_remote_file Content-Type: text/plain Content-Length: 48 Server: Jetty(9.3.1.v20150714) http://localhost:8080/rest/test_copy_remote_file
Results of a request
> curl -i http://localhost:8080/rest/test_copy_remote_file -ufedoraAdmin:fedoraAdmin HTTP/1.1 200 OK Date: Fri, 29 Jun 2018 16:39:56 GMT Set-Cookie: JSESSIONID=h0ywas10h63p1340ajakqp1vy;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:39:56 GMT ETag: "d9cc4f3b266a19f0c225356a5caabb9080d680b4" Last-Modified: Fri, 29 Jun 2018 16:19:45 GMT Content-Type: image/jp2 Accept-Ranges: bytes Content-Disposition: attachment; filename=""; creation-date="Fri, 29 Jun 2018 16:19:45 GMT"; modification-date="Fri, 29 Jun 2018 16:19:45 GMT"; size=305517 Link: <http://www.w3.org/ns/ldp#Resource>;rel="type" Link: <http://www.w3.org/ns/ldp#NonRDFSource>;rel="type" Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:acl>; rel="acl" Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:metadata>; rel="describedby" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Accept-External-Content-Handling: copy,redirect,proxy Allow: DELETE,HEAD,GET,PUT,OPTIONS Cache-Control: no-transform, must-revalidate, max-age=0 Content-Length: 305517 Server: Jetty(9.3.1.v20150714) ...<BODY CONTENT>...
Allowed External Paths Configuration
In order to enable external content, administrators must provide a configuration file stating a set of allowed external paths from which Fedora may provide binary content. This list is provided to the application by using the fcrepo.external.content.allowed startup parameter as follows:
-Dfcrepo.external.content.allowed=/path/to/allow.txt
By default, if this configuration is present at startup time Fedora will reload the configuration file any time it is modified.
Configuration Format
Each line within the file defines a single path from which allowed resources will be allowed. The entries are subject to the following rules:
- Paths must start with their protocol.
- If a path ends with a '/' character, all sub-paths within that path are allowed.
- If a path does not end with a '/', then only the exact path listed is allowed.
- Relative paths are disallowed.
- File paths must resolve to existing locations.
Example allow list file
file:///allowed/path/ file:/another/allowed/path/ file:///exact/match/file.txt https://example.com/ http://example.com/
This example allows external content references to local files at any path within /allowed/path/ and /another/allowed/path/, as well as the specific file /exact/match/file.txt.
It also allows external content from any HTTP URIs within https://example.com/ and http://example.com/
For security reasons, it is recommended to configure the minimum set of trusted external content sources/protocols that meet your use cases. By allowing for external content, you are assuming the risks inherent to providing a proxy to open web or file system resources. These resources may change outside of the management by the repository with the potential to introduce vulnerabilities, provide access to unintended files, or place undesirable burdens of system resources.