Versions Compared

Old Version 3

changes.mady.by.user Peter Eichman

Saved on

compared with

New Version 4

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The interface that custom providers must implement. Several providers exist in the codebase.

A principal provider must be configured in repo.xml. The following examples shows configuration for a PrincipalProvider class ContainerRolesPrincipalProvider.

...

languagetext
titlerepo.xml

...

Principal providers are configured in Fedora's Spring configuration by doing the following:

  1. Add a <bean> definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase.
  2. Add the name of the bean to the filterChainDefinitions line in the configuration of the org.apache.shiro.spring.web.ShiroFilterFactoryBean. The relevant line starts with /**, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.

Container Roles Principal Provider

...

HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.

Code Block
languagexml
titlerepo.xmlSpring bean configuration
    <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
    <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
        <property name="headerName" value="some-header"/>
        <property name="separator" value=","/>
    </bean>
	<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
          p:fad-ref="fad" p:principalProviders-ref="headerProvider"/>

Delegate Header Principal Provider

DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.

Code Block
languagexml
titlerepo.xmlSpring bean configuration
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
          p:fad-ref="fad" p:principalProviders-ref="delegatedPrincipalProvider"/>

Implementation Details

The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.

...