Date: Thu, 28 Mar 2024 16:37:24 -0400 (EDT) Message-ID: <1584280735.28900.1711658244117@lyrasis1-roc-mp1> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_28899_232382966.1711658244117" ------=_Part_28899_232382966.1711658244117 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The following sections explain the Fedora 4 AuthN/Z framework, and provi= de instructions for configuring some out-of-the-box access controls.
For clarity's sake, a distinction is made between Authentication and Aut= horization:
Fedora 4 uses servlet container authentication (Realms) to provide minim= al protection for your repository, including the set up of "superuser" acco= unts. User credentials are configured in your web application contain= er, usually in a properties file or XML file. By configuring superuser acco= unts you can require authentication for all management (write) operations.&= nbsp; This document describes how to set up Fedora and either Tomcat or Jet= ty to enable HTTP Basic Authentication, using simple user files. Cons= ult your web application server documentation for other ways to configure a= nd manage users; Fedora can handle any user principal passed to it by= the servlet container, as provisioned by any of the container's supported = authentication mechanisms.
The superuser role is fedoraAdmin. This is compar= able to the fedoraAdmin superuser role in Fedora 3, used f= or Fedora 3 API-M operations.
The Fedora authorization modules reside in separate source code modules = from the core Fedora web-application.
As of Fedora 4.7.4, the RBACL and XACML authorization modules are officially deprecated, and= will not be included in future releases of Fedora. Subsequent Fedora relea= ses will only include the WebAC authorization module.
As a result, each release includes pre-built Fedora "webapp-plus" war fi= les that have the authorization modules included. You are recommended to us= e one of these "webapp-plus" war files as a starting point for having an au= thorization-enabled deployment.
You can then follow the guidelines in the Best Practices - Fedora Configuration= document to specify site-specific "repo.xml" and "repository.json" con= figurations, as further described below.
Add the beans authenticationProvider= em> and fad to your repo.xml file, and make the modeshapeRepof= actory bean dependent on authenticationProvider. Use th= e class org.fcrepo.auth.ServletContainerAuthenticationProvider as your authentication provider. Here is an example repo.xml tha= t configures authentication and authorization using the Basic Roles authori= zation delegate.
To specify a local repo.xml configuration, provide t= he system property as follows:
JAVA_OP= TS=3D"... -Dfcrepo.spring.repo.configuration=3Dfile:/local/repo.xml"
<?xml= version=3D"1.0" encoding=3D"UTF-8"?> <beans xmlns=3D"http://www.springframework.org/schema/beans" xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" xmlns:context=3D"http://www.springframework.org/schema/context" xmlns:p=3D"http://www.springframework.org/schema/p" xmlns:util=3D"http://www.springframework.org/schema/util" xsi:schemaLocation=3D" http://www.springframework.org/schema/beans http://www.springframework.= org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframewor= k.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.o= rg/schema/util/spring-util.xsd"> <!-- Context that supports the actual ModeShape JCR itself --> <context:annotation-config/> <bean name=3D"modeshapeRepofactory" class=3D"org.fcrepo.kernel.modeshape.spring.ModeShapeRepositoryFact= oryBean" p:repositoryConfiguration=3D"${fcrepo.modeshape.configuration:class= path:/config/servlet-auth/repository.json}" depends-on=3D"authenticationProvider"/> <bean class=3D"org.modeshape.jcr.ModeShapeEngine" init-method=3D"sta= rt"/> <bean id=3D"connectionManager" class=3D"org.apache.http.impl.conn.Po= olingHttpClientConnectionManager" /> <!-- Optional PrincipalProvider that will inspect the request header= , "some-header", for user role values --> <bean name=3D"headerProvider" class=3D"org.fcrepo.auth.common.HttpHe= aderPrincipalProvider"> <property name=3D"headerName" value=3D"some-header"/> <property name=3D"separator" value=3D","/> </bean> <util:set id=3D"principalProviderSet"> <ref bean=3D"headerProvider"/> </util:set> <bean name=3D"fad" class=3D"org.fcrepo.auth.roles.basic.BasicRolesAu= thorizationDelegate"/> <bean name=3D"authenticationProvider" class=3D"org.fcrepo.auth.commo= n.ServletContainerAuthenticationProvider"> <property name=3D"fad" ref=3D"fad"/> <property name=3D"principalProviders" ref=3D"principalProviderSe= t"/> </bean> <!-- For the time being, load annotation config here too --> <bean class=3D"org.fcrepo.metrics.MetricsConfig"/> </beans>
Modify the security section = to enable both authenticated (via authentication provider) and internal ses= sions between Fedora and ModeShape.
To specify a local reposito= ry.json configuration, provide the system property as follows:
JAVA_OP= TS=3D"... -Dfcrepo.modeshape.configuration=3Dfile:/local/repository.json"= pre>
It should contain a "security" element that matches this block:
"securi= ty" : { =20 "anonymous" : { "roles" : ["readonly","readwrite","admin"], "useOnFailedLogin" : false }, "providers" : [ { "classname" : "org.fcrepo.auth.common.ServletContainerAuthent= icationProvider" } ] },
Modify fcrepo= -webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security co= nfiguration
<!= --Uncomment section below to enable Basic-Authentication--> <security-constraint> <web-resource-collection> <web-resource-name>Fedora4</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>PATCH</http-method> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>fedoraUser</role-name> <role-name>fedoraAdmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>fcrepo</realm-name> </login-config>
Create your jetty-users.properties file. This= file contains entries in the format username: password [, role, = ...], where
Sample jetty-users.properties file that contains t= hree users, two of whom are regular users, and the third of whom (fedoraAdm= in) is a Fedora superuser:
testuse= r: password1,fedoraUser adminuser: password2,fedoraUser fedoraAdmin: secret3,fedoraAdmin
Standalone
Modify your jetty.xml file to configure the login realm a=
nd include the jetty-users.properties file:
<Conf= igure class=3D"org.eclipse.jetty.webapp.WebAppContext"> =20 <!-- Set this to the webapp root of your Fedora 4 repository --&g= t; <Set name=3D"contextPath">/</Set> <!-- Set this to the path of of fcrepo4 WAR file --> <Set name=3D"war"><SystemProperty name=3D"jetty.home" defau= lt=3D"."/>/webapps/fcrepo4</Set> =20 <Get name=3D"securityHandler"> <Set name=3D"loginService"> <New class=3D"org.eclipse.jetty.security.HashLoginService"> <Set name=3D"name">fcrepo4</Set> <!-- Set this to the path to your jetty-users.properties file --= > <Set name=3D"config"><SystemProperty name=3D"jetty.ho= me" default=3D"."/>/path/to/jetty-users.properties</Set> </New> </Set> </Get> =20 </Configure>
Embedded in Maven
-Djetty.users.file=3D/path/to/jetty-us= ers.properties
See the Jetty Authentication documentati= on for more details.
$CATALINA_HOME/conf/tomcat-users.xml
f=
ile. It has entries of the form<user name=3D"principal" = password=3D"password" roles=3D"role1, role2, ..." />
where:
Sample tomcat-users.xml file that contains three u= sers, two of whom are regular users, and the third of whom (fedoraAdmin) is= a Fedora superuser:
<tomc= at-users> <role rolename=3D"fedoraUser" /> <role rolename=3D"fedoraAdmin" /> <user name=3D"testuser" password=3D"password1" roles=3D"fedoraUser" /&= gt; <user name=3D"adminuser" password=3D"password2" roles=3D"fedoraUser" /= > <user name=3D"fedoraAdmin" password=3D"secret3" roles=3D"fedoraAdmin" = /> </tomcat-users>
Configure your Tomcat login realm.
Modify your file $CATALINA_HOME/conf/server.xml
file to confi=
gure the login realm with the Fedora 4 webapp context:
<Cont= ext> ... <Realm className=3D"org.apache.catalina.realm.UserDatabaseRealm" resourceName=3D"UserDatabase" /> </Context>
See the Tomcat Realms docum=
entation for more details.
Running Fedora without authorization means that the REST API is availabl= e to any request coming from the container and lacks any finer-grained secu= rity. This is useful when Fedora is running behind another application that= connects to Fedora and implements its own security checks. In addition, th= is configuration is useful for temporary demonstrations and for running sof= tware tests that do not require security.
This configuration does not preclude the use of container authentication= to secure Fedora. However, container roles are not used for any further au= thorization within Fedora. All requests are treated as superusers.
The security bypass for REST endpoint is accomplished by supplying an al= ternate ModeShape authentication provider for servlet credentials. This ser= vlet authentication provider permits all actions at the Modeshape level and= does not use a PEP (Policy Enforcement Point).
"security= " : { "anonymous" : { "roles" : ["readonly","readwrite","admin"], "useOnFailedLogin" : false }, "providers" : [ { "classname" : "org.fcrepo.auth.commons.BypassSecurityServletAuthentic= ationProvider" } ] },
Fedora Authorization Delegates allow you to implement one interface to e= nforce access control over your Fedora repository. This interface, Fed= oraAuthorizationDelegate, has callbacks that allow you to restrict ModeShap= e operations and filter search results. After following these configuration= steps, Fedora's REST endpoints will respond with 403 response codes when t= he requested action is unauthorized by the authorization delegate.
Use of an authorization delegate and Fedora-specific authorization is op= tional. You can also configure Fedora to run without API security. You may = want to only enforce container authentication or leave the service running = completely unsecured, behind a firewall for instance. For details, see = ;How to configure= Fedora without authorization.
The authorization delegate is not consulted when servlet credentials ide= ntify a client with the fedoraAdmin role. When the contain= er has authenticated the connected client as a fedoraAdmin= , all actions are permitted and PEP is bypassed.
There are three reference implementations available:
You can also create an authorization delegate implementation and perform= security checks differently, possibly including calls to remote services.<= /p>
Two files contain the configuration options for authorization delegates:=
<bean= name=3D"modeshapeRepofactory" class=3D"org.fcrepo.kernel.spring.ModeShapeR= epositoryFactoryBean" depends-on=3D"authenticationProvider"> <property name=3D"repositoryConfiguration" value=3D"${fcrepo.modesha= pe.configuration:repository.json}" /> </bean> <bean name=3D"fad" class=3D"your.own.implementation"/> <bean name=3D"authenticationProvider" class=3D"org.fcrepo.auth.ServletCo= ntainerAuthenticationProvider"> <property name=3D"fad" ref=3D"fad"/> </bean>
"security= " : { "anonymous" : { "roles" : ["readonly","readwrite","admin"], "useOnFailedLogin" : false }, "providers" : [ { "classname" : "org.fcrepo.auth.ServletContainerAuthenticationProvider= " } ] },
WebAC Authori= zation Delegate
As of Fedora 4.7.4, the RBACL authorization module is officially deprecated, and will not be= included in future releases of Fedora. Subsequent Fedora releases will onl= y include the WebAC authorization module.
Ba= sic Role-based Authorization Delegate (RBACL)
As of Fedora 4.7.4, the XACML authorization module is officially deprecated, and will not be= included in future releases of Fedora. Subsequent Fedora releases will onl= y include the WebAC authorization module.