...
Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.
Configuration
Principal providers are configured in Fedora's Spring configuration by doing the following:
- Add a
<bean>
definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase. - Add the name of the bean to the
filterChainDefinitions
line in the configuration of theorg.apache.shiro.spring.web.ShiroFilterFactoryBean
. The relevant line starts with/**
, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.
Here is the complete default Spring filter configuration used by the fcrepo-webapp:
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- Authentication Filter -->
<bean id="servletContainerAuthFilter" class="org.fcrepo.auth.common.ServletContainerAuthFilter"/>
<!-- Principal Provider Filter: Delegate Header -->
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<!-- Authorization Filter -->
<bean id="webACFilter" class="org.fcrepo.auth.webac.WebACFilter"/>
<!-- connect the filters into a chain -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="filterChainDefinitions">
<value>
<!-- The Auth filter should come first, followed by 0 or more of the principal provider filters, -->
<!-- and finally the webACFilter -->
/** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter
</value>
</property>
</bean> |
Classes
Container Roles Principal Provider
ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
Code Block | ||||
---|---|---|---|---|
| ||||
<bean name="containerRolesProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider">
<property name="roleNames">
<util:set set-class="java.util.HashSet">
<value>tomcat-role-1</value>
<value>tomcat-role-2</value>
</util:set>
</property>
</bean> |
New roles must be specified in web.xml as shown below.
Code Block | ||||
---|---|---|---|---|
| ||||
<auth-constraint>
<role-name>fedoraUser</role-name>
<role-name>fedoraAdmin</role-name>
<role-name>tomcat-role-1</role-name>
<role-name>tomcat-role-2</role-name>
</auth-constraint> |
...
Container Roles Principal Provider
ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
- Enable this provider by setting the configuration property
fcrepo.auth.principal.roles.enabled
totrue
. - Set the
fcrepo.auth.principal.roles.list
to a comma separated list of roles - Update your web.xml
auth-constraint
element to contain your custom roles
For example, your fcrepo.properties file might look like this:
Code Block |
---|
fcrepo.auth.principal.roles.enabled=true
fcrepo.auth.principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2 |
And your web.xml would be updated to look like this:
Code Block | ||||
---|---|---|---|---|
| ||||
<web-app> ... <security-constraint> ... <auth-constraint> <role-name>fedoraUser</role-name> <role-name>fedoraAdmin</role-name> <role-name>newRoleExample</role-name> </auth-constraint> </securty-constraint></web-app> |
HTTP Header Principal Provider
...