...
This filter does the main work of allowing or prohibiting requests. Based on the HTTP method (and possibly other details in the headers or body of the request) of the incoming request, and the set of WebACPermission objects that the WebACAuthorizingRealm has determined for the current user, this filter with either reject the request with a "403 Forbidden" HTTP response, or allow the request to continue on to the Fedora servlet.
Configuration
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean name="modeshapeRepofactory"
class="org.fcrepo.kernel.modeshape.spring.ModeShapeRepositoryFactoryBean"
p:repositoryConfiguration="${fcrepo.modeshape.configuration}"
depends-on="authenticationProvider"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ShiroAuthenticationProvider"/>
<!-- **************************
Authentication
************************** -->
<!-- Optional PrincipalProvider filter that will inspect the request header, "some-header", for user role values -->
<!--
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
<property name="headerName" value="some-header"/>
<property name="separator" value=","/>
</bean>
-->
<!-- Optional PrincipalProvider filter that will use container configured roles as principals -->
<!--
<bean name="containerRolesProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider">
<property name="roleNames">
<util:set set-class="java.util.HashSet">
<value>tomcat-role-1</value>
<value>tomcat-role-2</value>
</util:set>
</property>
</bean>
-->
<!-- delegatedPrincipleProvider filter allows a single user to be passed in the header "On-Behalf-Of",
this is to be used as the actor making the request when authenticating.
NOTE: On users with the role fedoraAdmin can delegate to another user.
NOTE: Only supported in WebAC authentication -->
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<bean name="accessRolesProvider" class="org.fcrepo.auth.webac.WebACRolesProvider"/>
<!-- Shiro Auth Confiuration -->
<!-- Define the Shiro Realm implementation you want to use to connect to your back-end -->
<!-- WebAC Authorization Realm -->
<bean id="webACAuthorizingRealm" class="org.fcrepo.auth.webac.WebACAuthorizingRealm" />
<!-- Servlet Container Authentication Realm -->
<bean id="servletContainerAuthenticatingRealm" class="org.fcrepo.auth.common.ServletContainerAuthenticatingRealm" />
<!-- Security Manager -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realms">
<util:set set-class="java.util.HashSet">
<ref bean="webACAuthorizingRealm"/>
<ref bean="servletContainerAuthenticatingRealm"/>
</util:set>
</property>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<!-- Post processor that automatically invokes init() and destroy() methods -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Authentication Filter -->
<bean id="servletContainerAuthFilter" class="org.fcrepo.auth.common.ServletContainerAuthFilter"/>
<!-- Authorization Filter -->
<bean id="webACFilter" class="org.fcrepo.auth.webac.WebACFilter"/>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filterChainDefinitions">
<value>
<!-- The Auth filter should come first, followed by 0 or more of the principal provider filters, -->
<!-- and finally the webACFilter -->
/** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter
</value>
</property>
</bean> |