Running Fedora without authorization means that the REST API is available to any request coming from the container and lacks any finer-grained security. This is useful when Fedora is running behind another application that connects to Fedora and implements its own security checks. In addition, this This configuration is also useful for temporary demonstrations and for running software tests that do not require security.
This configuration Disabling auth in Fedora does not preclude the use of container authentication to secure Fedora. However, container roles are not used for any further authorization within Fedora. All requests are treated as superusers.
The security bypass for REST endpoint is accomplished by supplying an alternate ModeShape authentication provider. This provider permits all actions at the Modeshape levelAuth is disabled by default in the Jetty one-click version of Fedora.
Step-by-Step Configuration
- Open your Spring configuration file.Remove any beans that are instances of org.Set the
fcrepo.auth.
common.ShiroAuthenticationProvider. - Remove the
depends-on
attribute from themodeshapeRepofactory
bean, if there is one. - Open your web.xml file.
- Remove all occurences of "shiroFilter" (<filter> and <filter-mapping>)
- Comment out <security-constraint> and <login-config> sections
- Open your Modeshape repository configuration file (repository.json).
- Under security, configure the
BypassSecurityServletAuthenticationProvider
, as shown in the example below.
- Under security, configure the
...
language | js |
---|---|
title | Example repository.json (security section) |
...
enabled
property tofalse
. This can be done in a properties file or with a-D
argument.- Edit Fedora's
web.xml
so that all of the auth related configuration is removed or commented out. Here is an example of what the modifiedweb.xml
should look like. Theweb.xml
is located in theWEB-INF
directory within the Fedora webapp when it is deployed in Tomcat.