...
Fedora can authorize actions on the basis of a user name. Access may also hinge on additional security principals that are specific to an organization. These principals are often based on attributes coming with the request from Shibboleth, LDAP, CAS, etc.. Additional principals can be supported in Fedora authorization by implementing the PrincipalFactory interface. A PrincipalFactory examines Servlet requests and returns a set of additional principals for authorization. Example principals might include a named IP range, an affiliation or group from a Shibboleth SP header, principals extracted from a SAML payloads, etc.. Fedora provides a configurable HeaderPrincipalFactory that extracts principals from headers.
...
Reference Implementation: HeaderPrincipalFactory Fedora ships with this simply simple principal factory that creates string-based security principals from request headers. This is useful in cases, like the Apache HTTP Shibboleth module, where additional attributes are supplied as request headers. |
|---|
...
All requests to the JCR repository that underlies Fedora come through a JCR Session. The JCR Session results from JCR authentication and contain security context that allows the repository to make the most granular Fedora authorization decisions downstream. JCR sessions are tied to every Fedora REST request by means of an InjectedSession annotation on resources. This annotation will bring in a JCR Session from a SessionProvider that in turns get turn gets the Session from a SessionFactory. During Fedora transactions a JCR Session is saved with the transaction. Sessions in transactions will remain open until the transaction is closed or the maximum time between requests is reached.
JCR authentication is based on ServletCredentials that are passed through from the REST endpoint. The place to start looking at this is the SessionFactory, which retrieves the transaction session or formulates a repository login attempt from the servlet request. Repository logins are based on a an extensible credentials object. In ModeShape logins may be implemented by many implementations of an AuthenticationProvider interface. Fedora includes an ServletAuthenticationProvider that checks requests for a Fedora user role of either fedoraUser or fedoraAdmin before permitting Session creation.
...
Reference Implementation: ServletAuthenticationProvider Fedora ships with a AuthenticationProvider that checks for proper Fedora user roles before session creation. It creates a security context the that implements the Fedora user-based authorization endpoint. |
|---|
...