For any resource that does not have it's own ACL, the WebAC authorization module will look in the parent container until it reaches the root resource. If there is no user-defined ACL for the root resource, then the repository will use a "backstop" ACL defined outside of the repository. The A default "backstop" ACL is included in the fcrepo webapp.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
export JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.auth.webac.authorization=/path/to/authorizationacl.ttl" |
When overriding the default ACL, be aware that the WebAC module expects that file to be in Turtle format.
...
Please note that any use of acl:accessTo will use a different URI scheme to refer to Fedora locations, since this file is not aware of the HTTP location of the repository. This way, the default policy is portable across hostname or port changes. The URIs are created by taking info:fedora and appending the repository the repository path. The root thus becomes info:fedora/ and a container at /pcdm would be info:fedora/pcdm.
...