...
Additional principal provider filters can also be added to this filter chain to do additional authorization processing. For instance, in the case where there is an external authentication system like Shibboleth that adds the user's security principals as an HTTP header to the request, you can configure the HTTP Header Principal Provider to extract the relevant principals and add them to the current user.
These Shiro components connect with Modeshape's authentication/authorization system through the ShiroAuthenticationProvider and ShiroSecurityContext, which implement the Modeshape AuthenticationProvider and SecurityContext interfaces, respectively. These classes do little more than delegate the questions of user identity and authentication status to Shiro and the configured realms.
Security Manager
Fedora uses an instance of the DefaultWebSecurityManager as its security manager. This manager is configured with two realms: ServletContainerAuthenticatingRealm and WebACAuthorizingRealm.
...
This filter does the main work of allowing or prohibiting requests. Based on the HTTP method (and possibly other details in the headers or body of the request) of the incoming request, and the set of WebACPermission objects that the WebACAuthorizingRealm has determined for the current user, this filter will either reject the request with a "403 Forbidden" HTTP response, or allow the request to continue on to the Fedora servlet.
Configuration
...
| language | xml |
|---|---|
| title | Spring configuration |
...
TODO