...
Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.
Warning |
---|
The container roles provider and header provider should not be used at the same time, and doing so will lead to undefined results. |
Configuration
Principal providers are configured in Fedora's Spring configuration by doing the following:
- Add a
<bean>
definition for the desired provider, including any necessary configuration parameters. See below for the configuration parameters for the providers that exist in Fedora's core codebase. - Add the name of the bean to the
filterChainDefinitions
line in the configuration of theorg.apache.shiro.spring.web.ShiroFilterFactoryBean
. The relevant line starts with/**
, which means "filter all requests". What follows is a comma-separated list of filter bean names. The request proceeds through the filters from left to right.
Container Roles Principal Provider
ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
- Enable this provider by setting the configuration property
fcrepo.auth.principal.roles.enabled
totrue
. - Set
fcrepo.auth.principal.roles.list
to a comma separated list of roles - Update your web.xml
auth-constraint
element to contain your custom roles
For example, your fcrepo.properties file might look like thisHere is the complete default Spring filter configuration used by the fcrepo-webapp:
Code Block | |||||
---|---|---|---|---|---|
| |||||
<!-- Authentication Filter --> <bean id="servletContainerAuthFilter" class="org.fcrepo.auth.principal.common.ServletContainerAuthFilter"/> <!-- Principal Provider Filter: Delegate Header --> <bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/> <!-- Authorization Filter --> <bean id="webACFilter" class="org.roles.enabled=true fcrepo.auth.webac.WebACFilter"/> <!-- connect the filters into a chain --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="filterChainDefinitions"> <value> <!-- The Auth filter should come first, followed by 0 or more of the principal provider filters, --> <!-- and finally the webACFilter --> /** = servletContainerAuthFilter,delegatedPrincipalProvider,webACFilter </value> </property> </bean> |
Classes
Container Roles Principal Provider
principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2 |
And your web.xml would be updated to look like this:ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.
Code Block | ||||
---|---|---|---|---|
| ||||
<bean name="containerRolesProvider" class="org.fcrepo.auth.common.ContainerRolesPrincipalProvider">
<property name="roleNames">
<util:set set-class="java.util.HashSet">
<value>tomcat-role-1</value>
<value>tomcat-role-2</value>
</util:set>
</property>
</bean> |
New roles must be specified in web.xml as shown below.
| ||||
<web-app>
...
<security-constraint>
...
<auth-constraint>
<role | ||||
Code Block | ||||
---|---|---|---|---|
| ||||
<auth-constraint> <role-name>fedoraUser</role-name> <role <role-name>fedoraAdmin</role-name> <role <role-name>tomcat-role-1</role-name> <role <role-name>tomcat-role-2</role-name> < </auth-constraint> |
...
</securty-constraint>
</web-app> |
HTTP Header Principal Provider
HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.
- Enable this provider by setting the configuration property
fcrepo.auth.principal.header.enabled
totrue
. - Set
fcrepo.auth.principal.header.name
to the name of the header that contains the principals - Set
fcrepo.auth.principal.header.separator
to the character that is used to separate multiple principals in the header
For example, your fcrepo.properties file might look like this:
Code Block | |||||
---|---|---|---|---|---|
| |||||
fcrepo.auth.principal.header.enabled=true fcrepo.auth.principal.header.name=x-principal-header fcrepo.auth.principal.header.separator=,<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values --> <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider"> <property name="headerName" value="some-header"/> <property name="separator" value=","/> </bean> |
Delegate Header Principal Provider
DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of
HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.
...
language | xml |
---|---|
title | Spring bean configuration |
...
This provider is enabled by default. To disable it, set fcrepo.auth.principal.delegate.enabled
to false
.