...
Principal Providers are implemented as servlet filters that are added to the Shiro filter chain between the initial authentication filter (ServletContainerAuthFilter) and the final authorization filter (WebACFilter).
Different derivatives of the PrincipalProvider class can be initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.
Configuration
Principal providers are configured in Fedora's Spring configuration by doing the following:
- Add a
<bean>definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase. - Add the name of the bean to the
filterChainDefinitionsline in the configuration of theorg.apache.shiro.spring.web.ShiroFilterFactoryBean. The relevant line starts with/**, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.
Here is the complete default Spring filter configuration used by the fcrepo-webapp:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- Authentication Filter -->
<bean id="servletContainerAuthFilter" class="org.fcrepo.auth.common.ServletContainerAuthFilter"/>
<!-- Principal Provider Filter: Delegate Header -->
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<!-- Authorization Filter -->
<bean id="webACFilter" class="org.fcrepo.auth.webac.WebACFilter"/>
<!-- connect the filters into a chain -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filterChainDefinitions">
<value>
<!-- The Auth filter should come first, followed by 0 or more of the principal provider filters, -->
<!-- and finally the webACFilter -->
/** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter
</value>
</property>
</bean> |
The repository configuration file (repository.json) contains the class name of an authentication provider (under "providers") as well as the roles to be used when starting the provider module. By default, the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider exists in the configuration file, as it doesn't rely on an external PrincipalProvider and offers the simplest authentication model (the module always gives access privileges to the session).
Different derivatives of the PrincipalProvider class can be initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header or by connecting to external information sources such as LDAP.
Configuration
Principal providers are configured in Fedora's Spring configuration by doing the following:
- Add a
<bean>definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase. - Add the name of the bean to the
filterChainDefinitionsline in the configuration of theorg.apache.shiro.spring.web.ShiroFilterFactoryBean. The relevant line starts with/**, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.
The default filter chain in the fcrepo-webapp web.xml is as follows:
| No Format |
|---|
/** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter |
Classes
Container Roles Principal Provider
...