The Fedora Policy Enforcement Extension Point Extension (PEP extension) allows you to implement one interface to enforce access control over your Fedora repository. This interface, the FedoraPolicyEnforcementPoint, has callbacks that allow you to restrict ModeShape operations and filter search results. After following these configuration steps, Fedora's REST endpoints will respond with a 403 response codes when the requested action is unauthorized by the PEP.
Note: Use of a PEP and Fedora-specific authorization are optionsis optional. You can also configure Fedora to run without API security. You may want to only enforcing enforce container authentication or leave the service running completely unsecured, behind a firewall for instance. For details, see How to configure Fedora without authorization.
...
- Open the repo.xml file in your Fedora web application.
- Add your PEP implementation as a bean in this file and give it the id of "pep". Your PEP bean may include more specific configuration details than the example.
- Now add the Fedora ModeShape Authorization Authentication Provider bean. (see repo.xml example)
- Make sure that your modeshapeRepofactory bean has the depends-on attribute pointing at the authenticationProvider (see repo.xml example).
- Open your repository.json file.
- Add org.fcrepo.auth.ServletContainerAuthenticationProvider as a provider in the security section. (see repository.json example)
...