This authorization delegate makes decisions based on the four basic roles of "metadata reader", "reader", "writer", and "admin". These roles are assigned to principals on Fedora objects and datastreams resources. Assigned roles are inherited through the repository tree until blocked by another assignment.
...
This authorization delegate makes use of the Access Roles Module to assign and query roles in the repository.
Roles
- metadata reader - can retrieve information about Fedora objectsContainers, but cannot retrieve content
- reader - can retrieve information about Fedora objectsContainers, including content
- writer - all permissions of reader; can create, modify and delete Fedora objectsContainers
- admin - all permissions of writer; can modify the roles assigned to Fedora objectsContainers
Policy
The permissions granted to these roles are fixed. This authorization delegate makes decisions in Java code, rather Rather than consulting any kind of declarative policy, this authorization delegate has hard-coded role-permission assignments in the source code.
Role/Permission Matrix
metadata reader | reader | writer | admin | |
---|---|---|---|---|
read properties | X | X | X | X |
read content | X | X | X | |
write | X | X | ||
write roles | X |
...
<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean" <bean name="fad" class="org.fcrepo.auth.roles.basic.BasicRolesAuthorizationDelegate"/> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider "> |
---|
Edit your repository.json file to enable an authenticated internal session between Fedora and ModeShape, such so that the security section matches the example shown:
"security" : { |
---|