...

Incoming requests to Fedora first pass through a series of authentication and authorization servlet filters. These filters consult the current Shiro security manager to check whether the current user is authenticated, and then what WebAC permissions they have with regards to the requested resource. Once those permissions have been determined, the WebAC filter will either reject the request with a "403 Forbidden" response, or allow it to pass on through to be processed by Fedora.

These Shiro components connect with Modeshape's authentication/authorization system through the ShiroAuthenticationProvider and ShiroSecurityContext, which implement the Modeshape AuthenticationProvider and SecurityContext interfaces, respectively. These classes do little more than delegate the questions of user identity and authentication status to Shiro and the configured realms.

Security Manager

Fedora uses an instance of the DefaultWebSecurityManager as its security manager. This manager is configured with two realms: ServletContainerAuthenticatingRealm and WebACAuthorizingRealm.

...