...
Code Block | ||
---|---|---|
| ||
<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values --> <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider"> <property name="headerName" value="some-header"/> <property name="separator" value=","/> </bean> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider" p:fad-ref="fad" p:principalProviders-ref="headerProvider"/> |
Delegate Header Principal Provider
DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of
HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.
Code Block | ||
---|---|---|
| ||
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"
p:fad-ref="fad" p:principalProviders-ref="delegatedPrincipalProvider"/> |
Implementation Details
The Fedora class org.fcrepo.auth.common.ServletContainerAuthenticationProvider contains a list of PrincipalProvider derivative instances that are called for every authentication query. The union of the authentication traits of the PrincipalProvider instances will be assigned to the FEDORA_ALL_PRINCIPALS session attribute. In the case that the user is has the fedoraAdmin role, a FedoraAdminSecurityContext is provided as the users SecurityContext. If the user does not have the fedoraAdmin role, an ExecutionContext is provided as the users SecurityContext.
...