Note |
---|
This feature is disabled by default, and requires configuration in order to enable it. See the allowed list configuration section below. |
Excerpt |
---|
When referencing content hosted outside of the repository, you can create an empty binary to act as a placeholder for the external content, specifying the URL of the external content. |
...
If the external URI has a http prefix then a HEAD request is made to the URI provided in the Link header to retrieve the Content-type header, if this header is not returned the resource cannot be added to the repository.
Examples:
Proxying a file on the local server.
Creating the proxy LDP-NR
Note |
---|
The URI of the external content must be absolute. Relative paths and paths using relative path modifiers ("../") will result in the operation failing with a 400 status code. |
Examples:
Proxying a file on the local server.
Creating the proxy LDP-NR
Code Block |
---|
> curl -i -H"Link: <file:///local/file/storage/wonderful.tiff>; rel=\"http://fedora.info/definitions/fcrepo#ExternalContent\"; handling=\"proxy\"; type=\"image/tiff\"" -XPUT -ufedoraAdmin:fedoraAdmin http://localhost:8080/rest/test_proxy_local_file HTTP/1.1 201 Created Date: Fri, 29 Jun 2018 14:15:54 GMT Set-Cookie: JSESSIONID=aedg7ilmx9zxugi8x9em7l8h;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 14:15:54 GMT ETag: "0e409de61b53a864ad3a87f4faf884d88cf041ff" Last-Modified: Fri, 29 Jun 2018 14:15:55 GMT Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:metadata>; rel="describedby"; anchor="http://localhost:8080/rest/test_proxy_local_file" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Content-Location: file:/local/file/storage/wonderful.tiff Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:acl>; rel="acl" Location: http://localhost:8080/rest/test_proxy_local_file Content-Type: text/plain Content-Length: 48 Server: Jetty(9.3.1.v20150714) http://localhost:8080/rest/test_proxy_local_file |
...
Code Block |
---|
> curl -i http://localhost:8080/rest/test_copy_remote_file -ufedoraAdmin:fedoraAdmin HTTP/1.1 200 OK Date: Fri, 29 Jun 2018 16:39:56 GMT Set-Cookie: JSESSIONID=h0ywas10h63p1340ajakqp1vy;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:39:56 GMT ETag: "d9cc4f3b266a19f0c225356a5caabb9080d680b4" Last-Modified: Fri, 29 Jun 2018 16:19:45 GMT Content-Type: image/jp2 Accept-Ranges: bytes Content-Disposition: attachment; filename=""; creation-date="Fri, 29 Jun 2018 16:19:45 GMT"; modification-date="Fri, 29 Jun 2018 16:19:45 GMT"; size=305517 Link: <http://www.w3.org/ns/ldp#Resource>;rel="type" Link: <http://www.w3.org/ns/ldp#NonRDFSource>;rel="type" Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:acl>; rel="acl" Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:metadata>; rel="describedby" Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy" Accept-External-Content-Handling: copy,redirect,proxy Allow: DELETE,HEAD,GET,PUT,OPTIONS Cache-Control: no-transform, must-revalidate, max-age=0 Content-Length: 305517 Server: Jetty(9.3.1.v20150714) ...<BODY CONTENT>... |
Anchor | ||||
---|---|---|---|---|
|
In order to enable external content, administrators must provide a configuration file stating a set of allowed external paths from which Fedora may provide binary content. This list is provided to the application by using the fcrepo.external.content.allowed startup parameter as follows:
Code Block |
---|
-Dfcrepo.external.content.allowed=/path/to/allow.txt |
By default, if this configuration is present at startup time Fedora will reload the configuration file any time it is modified.
Configuration Format
Each line within the file defines a single path from which allowed resources will be allowed. The entries are subject to the following rules:
- Paths must start with their protocol.
- If a path ends with a '/' character, all sub-paths within that path are allowed.
- If a path does not end with a '/', then only the exact path listed is allowed.
- Relative paths are disallowed.
- File paths must resolve to existing locations.
Example allow list file
Code Block |
---|
file:///allowed/path/
file:/another/allowed/path/
file:///exact/match/file.txt
https://example.com/
http://example.com/ |
This example allows external content references to local files at any path within /allowed/path/ and /another/allowed/path/, as well as the specific file /exact/match/file.txt.
It also allows external content from any HTTP URIs within https://example.com/ and http://example.com/
Warning |
---|
For security reasons, it is recommended to configure the minimum set of trusted external content sources/protocols that meet your use cases. By allowing for external content, you are assuming the risks inherent to providing a proxy to open web or file system resources. These resources may change outside of the management by the repository with the potential to introduce vulnerabilities, provide access to unintended files, or place undesirable burdens of system resources. |