...
Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.
Warning |
---|
The container roles provider and header provider should not be used at the same time, and doing so will lead to undefined results. |
Configuration
Container Roles Principal Provider
...
- Enable this provider by setting the configuration property
fcrepo.auth.principal.roles.enabled
totrue
. - Set the
fcrepo.auth.principal.roles.list
to a comma separated list of roles - Update your web.xml
auth-constraint
element to contain your custom roles
For example, your fcrepo.properties file might look like this:
Code Block | ||||
---|---|---|---|---|
| ||||
fcrepo.auth.principal.roles.enabled=true fcrepo.auth.principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2 |
And your web.xml would be updated to look like this:
Code Block | ||||
---|---|---|---|---|
| ||||
<web-app> app> ... <security-constraint> constraint> ... <auth-constraint> <roleconstraint> <role-name>fedoraUser</role-name> <rolename> <role-name>fedoraAdmin</role-name> <role-name>newRoleExample<name> <role-name>tomcat-role-1</role-name> <role-name>tomcat-role-2</role-name> <name> </auth-constraint> <constraint> </securty-constraint><constraint> </web-app> |
HTTP Header Principal Provider
HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.
- Enable this provider by setting the configuration property
fcrepo.auth.principal.header.enabled
totrue
. - Set
fcrepo.auth.principal.header.name
to the name of the header that contains the principals - Set
fcrepo.auth.principal.header.separator
to the character that is used to separate multiple principals in the header
For example, your fcrepo.properties file might look like this:
Code Block | |||||
---|---|---|---|---|---|
| |||||
fcrepo.auth.principal.header.enabled=true fcrepo.auth.principal.header.name=x-principal-header fcrepo.auth.principal.header.separator=,<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values --> <bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider"> <property name="headerName" value="some-header"/> <property name="separator" value=","/> </bean> |
Delegate Header Principal Provider
DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of
HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.
...
language | xml |
---|---|
title | Spring bean configuration |
...
This provider is enabled by default. To disable it, set fcrepo.auth.
...
principal.delegate.enabled
to false
.