...
The interface that custom providers must implement. Several providers exist in the codebase.
A principal provider must be configured in repo.xml. The following examples shows configuration for a PrincipalProvider class ContainerRolesPrincipalProvider.
...
language | text |
---|---|
title | repo.xml |
...
Principal providers are configured in Fedora's Spring configuration by doing the following:
- Add a
<bean>
definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase. - Add the name of the bean to the
filterChainDefinitions
line in the configuration of theorg.apache.shiro.spring.web.ShiroFilterFactoryBean
. The relevant line starts with/**
, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.
Container Roles Principal Provider
...
HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.
Code Block | |||||
---|---|---|---|---|---|
| |||||
<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values --> <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider"> <property name="headerName" value="some-header"/> <property name="separator" value=","/> </bean> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider" p:fad-ref="fad" p:principalProviders-ref="headerProvider"/> |
Delegate Header Principal Provider
DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of
HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.
Code Block | ||||
---|---|---|---|---|
| ||||
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="delegatedPrincipalProvider"/> |
Implementation Details
The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.
...