Versions Compared

Old Version 17

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version Current

changes.mady.by.user David Wilcox

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The superuser role is fedoraAdmin.  This is comparable to the fedoraAdmin superuser role in Fedora 3, used for Fedora 3 API-M operations.

Table of Contents

Info

If you are starting from the pre-packaged authorization war file (fcrepo-webapp-<version>-auth.war), you should skip to step #4 below.

 

  1. Configure your repo.xml file

    Add the beans authenticationProvider and pep fad to your repo.xml file, and make the modeshapeRepofactory bean dependent on authenticationProvider.  Use the class org.fcrepo.auth.ServletContainerAuthenticationProvider as your authentication provider.  Here is an example repo.xml that configures authentication and authorization using the Basic Roles PEPauthorization delegate:

    Code Block
    languagexml
    titlerepo.xml with authentication configured
    <?xml version="1.0"   <bean name="modeshapeRepofactoryencoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    classxmlns:context="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean"http://www.springframework.org/schema/context"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

    <!-- Context that supports the actual ModeShape JCR itself -->

    <context:annotation-config/>

    <bean name="modeshapeRepofactory"
                                       class="org.fcrepo.kernel.impl.spring.ModeShapeRepositoryFactoryBean"
        p:repositoryConfiguration="${fcrepo.modeshape.configuration:classpath:/config/restservlet-sessionsauth/repository.json}"                                          
        depends-on="authenticationProvider"/>

    <bean class="org.modeshape.jcr.JcrRepositoryFactory"/>

    <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
    <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
        <property name="headerName" value="some-header"/>
        <property name="separator" value=","/>
    </bean>

    <util:set id="principalProviderSet">
        <ref bean="headerProvider"/>
                                               
                                                                                                                                                               </util:set>

    <bean name="pepfad" class="org.fcrepo.auth.roles.basic.BasicRolesPEPBasicRolesAuthorizationDelegate"/>                                                                                       
                                                                                                                                                               
    <bean name="authenticationProvider" 
		class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider">
        <property                                                name="fad" ref="fad"/>
        <property name="pepprincipalProviders" ref="pepprincipalProviderSet"/>
    </bean>

    <!-- For the time being, load annotation config here too -->
                                                                                                     
    </bean>

<bean class="org.fcrepo.metrics.MetricsConfig"/>
</beans>

  2. Configure your repository.json file

    Modify the security section to enable both authenticated (via authentication provider) and internal sessions between Fedora and ModeShape.  It should match this block:

    Code Block
    languageruby
    titlerepository.json security
    "security" : {        
        "anonymous" : {
            "roles" : ["readonly","readwrite","admin"],
            "useOnFailedLogin" : false
        },
        "providers" : [
            { "classname" : "org.fcrepo.auth.common.ServletContainerAuthenticationProvider" }
        ]
    },

  3. Configure your web.xml

    Configure your web.xml.

    Modify fcrepo-webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security configuration

    Code Block
      <!--Uncomment section below to enable Basic-Authentication-->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Fedora4</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>PATCH</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>fedoraUser</role-name>
      <role-name>fedoraAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>fcrepo</realm-name>
  </login-config>
    Note
    The "auth-constraint" element must contain the roles defined as your users (see below for jetty and tomcat).

  4. Configure your web application container

...

  • Tomcat

    • Create or edit your $CATALINA_HOME/conf/tomcat-users.xml file.  It has entries of the form
       <user name="principal" password="password" roles="role1, role2, ..." />

      where:

      • name is the user's login id (the principal)
      • password is the user's password
      • roles are the servlet roles they are assigned upon login;  tomcat allows you to specify any number of roles (or no role at all).  Fedora currently supports two roles:  fedoraAdmin, which is the superuser role, and has rights to do everything;  and fedoraUser, which is a user role, and must be granted permissions by the Policy Enforcement Point to perform actions.

      Sample tomcat-users.xml file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:

      Code Block
      languagexml
      titletomcat-users.xml
      <tomcat-users>
  <role rolename="fedoraUser" />
  <role rolename="fedoraAdmin" />
  <user name="testuser" password="password1" roles="fedoraUser" />
  <user name="adminuser" password="password2" roles="fedoraUser" />
  <user name="fedoraAdmin" password="secret3" roles="fedoraAdmin" />
</tomcat-users>

    • Configure your Tomcat login realm.
      Modify your file $CATALINA_HOME/conf/server.xml file to configure the login realm with the Fedora 4 webapp context:

      Code Block
      languagexml
      titleTomcat server.xml Realm
      <Context>
...
  <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
         resourceName="UserDatabase" />
</Context>

      See the Tomcat Realms documentation for more details.
       

    • Configure your web.xml

      Modify fcrepo-webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security configuration

      Code Block
        <!--Uncomment section below to enable Basic-Authentication-->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Fedora4</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>PATCH</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>fedoraUser</role-name>
      <role-name>fedoraAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>fcrepo</realm-name>
  </login-config>

      Note, the "auth-constraint" element must contain the roles previously defined in your server.xml file.

...