Versions Compared

Old Version 2

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version Current

changes.mady.by.user Peter Winckles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Different derivatives of the PrincipalProvider class can be initialized differently, either through the repository.json file, other credential files, from information sent via HTTP header, or by connecting to external information sources such as LDAP.

Warning

The container roles provider and header provider should not be used at the same time, and doing so will lead to undefined results.

Configuration

Principal providers are configured in Fedora's Spring configuration by doing the following:

  1. Add a <bean> definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase.
  2. Add the name of the bean to the filterChainDefinitions line in the configuration of the org.apache.shiro.spring.web.ShiroFilterFactoryBean. The relevant line starts with /**, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.

Container Roles Principal Provider

ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.

  1. Enable this provider by setting the configuration property fcrepo.auth.principal.roles.enabled to true.
  2. Set fcrepo.auth.principal.roles.list to a comma separated list of roles
  3. Update your web.xml auth-constraint element to contain your custom roles

For example, your fcrepo.properties file might look like thisHere is the complete default Spring filter configuration used by the fcrepo-webapp:

Code Block
languagexmltext
titleSpring configuration of principal providers as filtersfcrepo.properties
<!-- Authentication Filter -->
<bean id="servletContainerAuthFilter" class="org.fcrepo.auth.principal.common.ServletContainerAuthFilter"/>

<!-- Principal Provider Filter: Delegate Header -->
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>

<!-- Authorization Filter -->
<bean id="webACFilter" class="org.roles.enabled=true
fcrepo.auth.webac.WebACFilter"/>

<!-- connect the filters into a chain -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
  <property name="securityManager" ref="securityManager"/>
  <property name="filterChainDefinitions">
    <value>
      <!-- The Auth filter should come first, followed by 0 or more of the principal provider filters, -->
      <!-- and finally the webACFilter -->
      /** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter
    </value>
  </property>
</bean>

Classes

Container Roles Principal Provider

principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2

And your web.xml would be updated to look like this:ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.

Code Block
languagexml
titleSpring bean configuration
<bean name="containerRolesProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider">
  <property name="roleNames">
    <util:set set-class="java.util.HashSet">
      <value>tomcat-role-1</value>
      <value>tomcat-role-2</value>
    </util:set>
  </property>
</bean>

New roles must be specified in web.xml as shown below.

web.xml
<web-app>
  ...
  <security-constraint>
    ...
    <auth-constraint>
      <role
Code Block
languagetext
titleweb.xml
<auth-constraint>
  <role-name>fedoraUser</role-name>
  <role      <role-name>fedoraAdmin</role-name>
  <role     <role-name>tomcat-role-1</role-name>
  <role     <role-name>tomcat-role-2</role-name>
<    </auth-constraint>

...


  </securty-constraint>
</web-app>

HTTP Header Principal Provider

HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.

  1. Enable this provider by setting the configuration property fcrepo.auth.principal.header.enabled to true.
  2. Set fcrepo.auth.principal.header.name to the name of the header that contains the principals
  3. Set fcrepo.auth.principal.header.separator to the character that is used to separate multiple principals in the header

For example, your fcrepo.properties file might look like this:

Code Block
languagexmltext
titleSpring bean configurationfcrepo.properties
fcrepo.auth.principal.header.enabled=true fcrepo.auth.principal.header.name=x-principal-header
fcrepo.auth.principal.header.separator=,<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
  <property name="headerName" value="some-header"/>
  <property name="separator" value=","/>
</bean>

Delegate Header Principal Provider

DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.

Code Block
languagexml
titleSpring bean configuration
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>

...

This provider is enabled by default. To disable it, set fcrepo.auth.principal.delegate.enabled to false.