...
Web Access Control (WebAC or WAC) is Fedora's system for authorizing requests for resources in the repository.
Table of Contents |
---|
...
Definitions
From the SOLID Web Access Control specification:
...
Continuing with this example, if a user comes in as user "dra2"
, the user's identity will be converted to the URI http://example.org/agent/dra2 before applying ACLs.
Examples of Authorizations
The user userA can Read document foo
Code Block language text @prefix acl: <http://www.w3.org/ns/auth/acl#> <#auth1> a acl:Authorization ; acl:accessTo </fcrepo/rest/foo> ; acl:mode acl:Read; acl:agent "userA" .
Users in NewsEditor group can Write to any resource of type ex:News
Code Block language text @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix ex: <http://example.org/ns#> . <#auth2> a acl:Authorization ; acl:accessToClass ex:News ; acl:mode acl:Read, acl:Write; acl:agentClass </fcrepo/rest/agents/NewsEditors> .
Code Block language text title /agents/NewsEditors @prefix vcard: <http://www.w3.org/2006/vcard/ns#> . <> a vcard:Group; vcard:hasMember "editor1", "editor2".
The user userB can Read document foo (This involves setting a system property for the servlet container, e.g.
-Dfcrepo.auth.webac.userAgent.baseUri=http://example.org/agents/)
Code Block language text @prefix acl: <http://www.w3.org/ns/auth/acl#> <#auth3> a acl:Authorization ; acl:accessTo </fcrepo/rest/foo> ; acl:mode acl:Read; acl:agent <http://example.org/agents/userB> .
Protecting Resources
Any resource in the repository may have its own ACL. The location of that (potential) ACL is given in a Link
HTTP header with rel="acl"
. If a resource itself does not specify its own ACL, its parent containers are inspected, and the first specified ACL found is used as the ACL for the requested resource. If no ACLs are found, a filesystem-based ACL will be checked, the default policy of which is to deny access to the requested resource.
...