...
The superuser role is fedoraAdmin. This is comparable to the fedoraAdmin superuser role in Fedora 3, used for Fedora 3 API-M operations.
Table of Contents |
---|
Info |
---|
If you are starting from the pre-packaged authorization war file (fcrepo-webapp-<version>-auth.war), you should skip to step #4 below. |
The Fedora authorization modules reside in separate source code modules from the core Fedora web-application.
- WebAC : https://github.com/fcrepo4/fcrepo-module-auth-webac
- RBACL : https://github.com/fcrepo4/fcrepo-module-auth-rbacl
- XACML : https://github.com/fcrepo4/fcrepo-module-auth-xacml
Warning |
---|
As of Fedora 4.7.4, the RBACL and XACML authorization modules are officially deprecated, and will not be included in future releases of Fedora. Subsequent Fedora releases will only include the WebAC authorization module. |
As a result, each release includes pre-built Fedora "webapp-plus" war files that have the authorization modules included. You are recommended to use one of these "webapp-plus" war files as a starting point for having an authorization-enabled deployment.
- Webapp-plus releases: https://github.com/fcrepo4-exts/fcrepo-webapp-plus/releases
You can then follow the guidelines in the Best Practices - Fedora Configuration document to specify site-specific "repo.xml" and "repository.json" configurations, as further described below.
Configure your repo.xml file
Add the beans authenticationProvider and fad to your repo.xml file, and make the modeshapeRepofactory bean dependent on authenticationProvider. Use the class org.fcrepo.auth.ServletContainerAuthenticationProvider as your authentication provider. Here is an example repo.xml that configures authentication and authorization using the Basic Roles authorization delegate.
To specify a local repo.xml configuration, provide the system property as follows:
Code Block JAVA_OPTS="... -Dfcrepo.spring.repo.configuration=file:/local/repo.xml"
Code Block language xml title repo.xml with authentication configured <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <!-- Context that supports the actual ModeShape JCR itself --> <context:annotation-config/> <bean name="modeshapeRepofactory" class="org.fcrepo.kernel.implmodeshape.spring.ModeShapeRepositoryFactoryBean" p:repositoryConfiguration="${fcrepo.modeshape.configuration:classpath:/config/servlet-auth/repository.json}" depends-on="authenticationProvider"/> <bean class="org.modeshape.jcr.JcrRepositoryFactory"ModeShapeEngine" init-method="start"/> <bean id="connectionManager" class="org.apache.http.impl.conn.PoolingHttpClientConnectionManager" /> <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values --> <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider"> <property name="headerName" value="some-header"/> <property name="separator" value=","/> </bean> <util:set id="principalProviderSet"> <ref bean="headerProvider"/> </util:set> <bean name="fad" class="org.fcrepo.auth.roles.basic.BasicRolesAuthorizationDelegate"/> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"> <property name="fad" ref="fad"/> <property name="principalProviders" ref="principalProviderSet"/> </bean> <!-- For the time being, load annotation config here too --> <bean class="org.fcrepo.metrics.MetricsConfig"/> </beans>
Configure your repository.json file
Modify the security section to enable both authenticated (via authentication provider) and internal sessions between Fedora and ModeShape. It should match
To specify a local repository.json configuration, provide the system property as follows:
Code Block JAVA_OPTS="... -Dfcrepo.modeshape.configuration=file:/local/repository.json"
It should contain a "security" element that matches this block:
Code Block language ruby title repository.json security "security" : { "anonymous" : { "roles" : ["readonly","readwrite","admin"], "useOnFailedLogin" : false }, "providers" : [ { "classname" : "org.fcrepo.auth.common.ServletContainerAuthenticationProvider" } ] },
Configure your web.xml
Configure your web.xml.Modify fcrepo-webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security configuration
Code Block <!--Uncomment section below to enable Basic-Authentication--> <security-constraint> <web-resource-collection> <web-resource-name>Fedora4</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>PATCH</http-method> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>fedoraUser</role-name> <role-name>fedoraAdmin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>fcrepo</realm-name> </login-config>
Note The "auth-constraint" element must contain the roles defined as your users (see below for jetty and tomcat). Configure your web application container
...