...
This is a very simple, servlet-based authorization system. It's authentication provider will only create sessions for servlet requests that have the fedoraAdmin container role. It authorizes admins users to perform all actions.
XACML Fedora User Authorization Module
This module creates sessions only for requests bearing a fedoraUser container role. It is useful in cases where Fedora is responding directly to container authenticated end users. This module compiles requests information into a authorization request that is passed to a policy decision point (PDP) according to the XACML standard.
- This authorization provider will delegate authorization decisions to a XACML PDP.
- Policies might be stored in the repository tree (see JCR 2.0 16.3 and JBossLDAPPolicyLocator as an example)
- ?? Standard and customized XACML attribute mappings could be stored in the repository. (JCR query, data type, attribute ID)
- Write an "attribute finder" based on relative JCR XPath.
- ModeShape Question: How best to store policies within the repository? (normal nodes/properties or possibly behind the AccessManager API)
...