...
The first part of the authorization describes who can access a resource. There are two ways to do this. The first is simply by naming particular users using the acl:agent property, as either strings or URIs. When using URIs, it is necessary to translate the string-based username that is used for container-based authentication (i.e. Tomcat/Jetty authentication) into a URI. This is done by prefixing the string with a URI that is set in the container configuration: -Dfcrepo.auth.webac.userAgent.baseUri=http://example.org/user/ and/or -Dfcrepo.auth.webac.groupAgent.baseUri=http://example.org/group/
| Code Block | ||
|---|---|---|
| ||
# as strings <> acl:agent "obiwan", "yoda" . # as URI references <> acl:agent ex:obiwan, ex:yoda . |
...
(Fedora Implementation Note: This is a slight departure from the W3C's description of WebAC, where the object of the acl:agent property must be a URI. We chose to implement it this way instead in such a way that the WebAC authorization module supports both String Literals and URIs in order to ease the integration of the WebAC authorization module with existing authentication or single-sign-on systems that identify users with string usernames.)
...