...
The repository.json file contains the class name of authentication provider (under "providers") as well as the roles to be used when starting the provider module (the roles which a query is checked against). By default the org.fcrepo.auth.common.BypassSecurityServletAuthenticationProvider is used for this layer of security, as it doesn't rely on an external PrincipalProviders and provides the simplest authentication model (The module always authenticates and gives access privileges to the session).
...