Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The superuser role is fedoraAdmin.  This is comparable to the fedoraAdmin superuser role in Fedora 3, used for Fedora 3 API-M operations.

Table of Contents

Info

If you are starting from the pre-packaged authorization war file (fcrepo-webapp-<version>-auth.war), you should skip to step #4 below.

 

  1. Configure your repo.xml file

    Add the beans authenticationProvider and pep fad to your repo.xml file, and make the modeshapeRepofactory bean dependent on authenticationProvider.  Use the class org.fcrepo.auth.ServletContainerAuthenticationProvider as your authentication provider.  Here is an example repo.xml that configures authentication and authorization using the Basic Roles PEPauthorization delegate:

    Code Block
    languagexml
    titlerepo.xml with authentication configured
    <?xml version="1.0"   <bean name="modeshapeRepofactoryencoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        classxmlns:context="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean"http://www.springframework.org/schema/context"
        xmlns:p="http://www.springframework.org/schema/p"
        xmlns:util="http://www.springframework.org/schema/util"
        xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
    
        <!-- Context that supports the actual ModeShape JCR itself -->
    
        <context:annotation-config/>
    
        <bean name="modeshapeRepofactory"
                                           class="org.fcrepo.kernel.impl.spring.ModeShapeRepositoryFactoryBean"
            p:repositoryConfiguration="${fcrepo.modeshape.configuration:classpath:/config/restservlet-sessionsauth/repository.json}"                                          
            depends-on="authenticationProvider"/>
    
        <bean class="org.modeshape.jcr.JcrRepositoryFactory"/>
    
        <!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
        <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
            <property name="headerName" value="some-header"/>
            <property name="separator" value=","/>
        </bean>
    
        <util:set id="principalProviderSet">
            <ref bean="headerProvider"/>
                                                   
                                                                                                                                                                   </util:set>
    
        <bean name="pepfad" class="org.fcrepo.auth.roles.basic.BasicRolesPEPBasicRolesAuthorizationDelegate"/>                                                                                       
                                                                                                                                                                   
        <bean name="authenticationProvider" 
    		class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider">
            <property                                                name="fad" ref="fad"/>
            <property name="pepprincipalProviders" ref="pepprincipalProviderSet"/>
        </bean>
    
        <!-- For the time being, load annotation config here too -->
                                                                                                         
        </bean>
    
    <bean class="org.fcrepo.metrics.MetricsConfig"/>
    </beans>
  2. Configure your repository.json file

    Modify the security section to enable both authenticated (via authentication provider) and internal sessions between Fedora and ModeShape.  It should match this block:

    Code Block
    languageruby
    titlerepository.json security
    "security" : {        
            "anonymous" : {
                "roles" : ["readonly","readwrite","admin"],
                "useOnFailedLogin" : false
            },
            "providers" : [
                { "classname" : "org.fcrepo.auth.common.ServletContainerAuthenticationProvider" }
            ]
        },
  3. Configure your web.xml

    Configure your web.xml.

    Modify fcrepo-webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security configuration

    Code Block
      <!--Uncomment section below to enable Basic-Authentication-->
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Fedora4</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>PUT</http-method>
          <http-method>HEAD</http-method>
          <http-method>OPTIONS</http-method>
          <http-method>PATCH</http-method>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>fedoraUser</role-name>
          <role-name>fedoraAdmin</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
      <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>fcrepo</realm-name>
      </login-config>
    Note
    The "auth-constraint" element must contain the roles defined as your users (see below for jetty and tomcat).
  4. Configure your web application container

...

  • Tomcat

    • Create or edit your $CATALINA_HOME/conf/tomcat-users.xml file.  It has entries of the form
       <user name="principal" password="password" roles="role1, role2, ..." />

      where:

      • name is the user's login id (the principal)
      • password is the user's password
      • roles are the servlet roles they are assigned upon login;  tomcat allows you to specify any number of roles (or no role at all).  Fedora currently supports two roles:  fedoraAdmin, which is the superuser role, and has rights to do everything;  and fedoraUser, which is a user role, and must be granted permissions by the Policy Enforcement Point to perform actions.

      Sample tomcat-users.xml file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:

      Code Block
      languagexml
      titletomcat-users.xml
      <tomcat-users>
        <role rolename="fedoraUser" />
        <role rolename="fedoraAdmin" />
        <user name="testuser" password="password1" roles="fedoraUser" />
        <user name="adminuser" password="password2" roles="fedoraUser" />
        <user name="fedoraAdmin" password="secret3" roles="fedoraAdmin" />
      </tomcat-users>
    • Configure your Tomcat login realm.
      Modify your file $CATALINA_HOME/conf/server.xml file to configure the login realm with the Fedora 4 webapp context:

      Code Block
      languagexml
      titleTomcat server.xml Realm
      <Context>
      ...
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" />
      </Context>

      See the Tomcat Realms documentation for more details.
       

    • Configure your web.xml

      Modify fcrepo-webapp/src/main/webapp/WEB-INF/web.xml by uncommenting the security configuration

      Code Block
        <!--Uncomment section below to enable Basic-Authentication-->
        <security-constraint>
          <web-resource-collection>
            <web-resource-name>Fedora4</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>PUT</http-method>
            <http-method>HEAD</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>PATCH</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
            <role-name>fedoraUser</role-name>
            <role-name>fedoraAdmin</role-name>
          </auth-constraint>
          <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
        </security-constraint>
        <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>fcrepo</realm-name>
        </login-config>

      Note, the "auth-constraint" element must contain the roles previously defined in your server.xml file.

...