Page History

...

Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.

Configuration

Container Roles Principal Provider

...

1. Enable this provider by setting the configuration property fcrepo.auth.principal.roles.enabled to true.
2. Set the fcrepo.auth.principal.roles.list to a comma separated list of roles
3. Update your web.xml auth-constraint element to contain your custom roles

...

HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.

1. Enable this provider by setting the configuration property fcrepo.auth.principal.header.enabled to true.
2. Set fcrepo.auth.principal.header.name to the name of the header that contains the principals
3. Set fcrepo.auth.principal.header.separator to the character that is used to separate multiple principals in the header

For example, your fcrepo.properties file might look like this:

fcrepo.auth.principal.header.enabled=true fcrepo.auth.principal.header.name=x-principal-header
fcrepo.auth.principal.header.separator=,<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
  <property name="headerName" value="some-header"/>
  <property name="separator" value=","/>
</bean>

Delegate Header Principal Provider

DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.

...

...

This provider is enabled by default. To disable it, set fcrepo.auth.

...

principal.delegate.enabled to false.