Versions Compared

Old Version 7

changes.mady.by.user Jared Whiklo

Saved on

compared with

New Version Current

changes.mady.by.user Ben Pennell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

This feature is disabled by default, and requires configuration in order to enable it. See the allowed list configuration section below.


Excerpt

When referencing content hosted outside of the repository, you can create an empty binary to act as a placeholder for the external content, specifying the URL of the external content.

...

If the external URI has a http prefix then a HEAD request is made to the URI provided in the Link header to retrieve the Content-type header, if this header is not returned the resource cannot be added to the repository.

Examples:

Proxying a file on the local server.

Creating the proxy LDP-NR

Note

The URI of the external content must be absolute. Relative paths and paths using relative path modifiers ("../") will result in the operation failing with a 400 status code.

Examples:

Proxying a file on the local server.

Creating the proxy LDP-NR

Code Block
> curl -i -H"Link: <file:///local/file/storage/wonderful.tiff>; rel=\"http://fedora.info/definitions/fcrepo#ExternalContent\"; handling=\"proxy\"; type=\"image/tiff\"" -XPUT -ufedoraAdmin:fedoraAdmin http://localhost:8080/rest/test_proxy_local_file
HTTP/1.1 201 Created
Date: Fri, 29 Jun 2018 14:15:54 GMT
Set-Cookie: JSESSIONID=aedg7ilmx9zxugi8x9em7l8h;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 14:15:54 GMT
ETag: "0e409de61b53a864ad3a87f4faf884d88cf041ff"
Last-Modified: Fri, 29 Jun 2018 14:15:55 GMT
Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:metadata>; rel="describedby"; anchor="http://localhost:8080/rest/test_proxy_local_file"
Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy"
Content-Location: file:/local/file/storage/wonderful.tiff
Link: <http://localhost:8080/rest/test_proxy_local_file/fcr:acl>; rel="acl"
Location: http://localhost:8080/rest/test_proxy_local_file
Content-Type: text/plain
Content-Length: 48
Server: Jetty(9.3.1.v20150714)

http://localhost:8080/rest/test_proxy_local_file

...

Code Block
> curl -i http://localhost:8080/rest/test_copy_remote_file -ufedoraAdmin:fedoraAdmin 
HTTP/1.1 200 OK
Date: Fri, 29 Jun 2018 16:39:56 GMT
Set-Cookie: JSESSIONID=h0ywas10h63p1340ajakqp1vy;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 28-Jun-2018 16:39:56 GMT
ETag: "d9cc4f3b266a19f0c225356a5caabb9080d680b4"
Last-Modified: Fri, 29 Jun 2018 16:19:45 GMT
Content-Type: image/jp2
Accept-Ranges: bytes
Content-Disposition: attachment; filename=""; creation-date="Fri, 29 Jun 2018 16:19:45 GMT"; modification-date="Fri, 29 Jun 2018 16:19:45 GMT"; size=305517
Link: <http://www.w3.org/ns/ldp#Resource>;rel="type"
Link: <http://www.w3.org/ns/ldp#NonRDFSource>;rel="type"
Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:acl>; rel="acl"
Link: <http://localhost:8080/rest/test_copy_remote_file/fcr:metadata>; rel="describedby"
Link: <http://localhost:8080/static/constraints/NonRDFSourceConstraints.rdf>; rel="http://www.w3.org/ns/ldp#constrainedBy"
Accept-External-Content-Handling: copy,redirect,proxy
Allow: DELETE,HEAD,GET,PUT,OPTIONS
Cache-Control: no-transform, must-revalidate, max-age=0
Content-Length: 305517
Server: Jetty(9.3.1.v20150714)

...<BODY CONTENT>...

Anchor
allowed_list
allowed_list
Allowed External Paths Configuration

In order to enable external content, administrators must provide a configuration file stating a set of allowed external paths from which Fedora may provide binary content. This list is provided to the application by using the fcrepo.external.content.allowed startup parameter as follows:

Code Block
-Dfcrepo.external.content.allowed=/path/to/allow.txt

By default, if this configuration is present at startup time Fedora will reload the configuration file any time it is modified.

Configuration Format

Each line within the file defines a single path from which allowed resources will be allowed. The entries are subject to the following rules:

  • Paths must start with their protocol.
  • If a path ends with a '/' character, all sub-paths within that path are allowed.
  • If a path does not end with a '/', then only the exact path listed is allowed.
  • Relative paths are disallowed.
  • File paths must resolve to existing locations.

Example allow list file

Code Block
file:///allowed/path/
file:/another/allowed/path/
file:///exact/match/file.txt
https://example.com/
http://example.com/

This example allows external content references to local files at any path within /allowed/path/ and /another/allowed/path/, as well as the specific file /exact/match/file.txt.

It also allows external content from any HTTP URIs within https://example.com/ and http://example.com/

Warning

For security reasons, it is recommended to configure the minimum set of trusted external content sources/protocols that meet your use cases. By allowing for external content, you are assuming the risks inherent to providing a proxy to open web or file system resources. These resources may change outside of the management by the repository with the potential to introduce vulnerabilities, provide access to unintended files, or place undesirable burdens of system resources.