Versions Compared

Old Version 1

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version 2

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When the WebAC module is in effect, resource access is based on the presence of a triple with the acl:accessControl predicate. For any resource that has an RDF graph that does not contain a triple with that propertyhave it's own ACL, the WebAC authorization module will look in the parent container until it reaches the root resource. If there is still no acl:accessControl propertyno user-defined ACL for the root resource, then the Authorization Delegate repository will inspect a filesystem-based policyuse a "backstop" ACL defined outside of the repository. The default "backstop" ACL is included in the fcrepo webapp.

The default policy is defined to block all accessallow read access to the repository to any user:

Code Block
languagetext
titleDefault "Backstop" ACL
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix fedorawebac: <http://fedora.info/definitions/v4/repository#>/webac#> .

<info:fedora/fcr:acl> a webac:Acl .

<><info:fedora/fcr:acl#authz> a acl:Authorization ;
   rdfs:label "Root Authorization" ;
   rdfs:comment "By default, all non-Admin agents (foaf:Agent) only arehave deniedread access (no acl:mode is specifiedRead) to allthe resources.repository" ;
   acl:agentagentClass foaf:Agent ;
   acl:mode acl:accessToClass fedora:ResourceRead ;
   acl:accessTo <info:fedora/> ;
   acl:default <info:fedora/> .

In most cases, this default is appropriate, but it is also possible to override this

...

with a custom

...

ACL.

In order to override this policy, it is recommended The recommended method is to add a configuration value to JAVA_OPTS, pointing to the your custom authorization policyACL:

Code Block
languagebash
titleSetting a custom "Backstop" ACL
export JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.auth.webac.authorization=/path/to/authorization.ttl"

When overriding the filesystem-based authorizationthe default ACL, be aware that the WebAC module expects that file to be in Turtle format.

For instance, in order to grant read prohibit access to the entire repository:

Code Block
languagetext
titleACL that disallows access by default
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix webac: <http://fedora.info/definitions/v4/webac#> .

<><info:fedora/fcr:acl> a aclwebac:AuthorizationAcl ;
   rdfs:label "Root Authorization Policy" .

# note the lack of an acl:mode predicate
<info:fedora/fcr:acl#authz> a acl:Authorization ;
   rdfs:commentlabel "Provide read access to all resources to all agents.Root Authorization" ;
   acl:agentagentClass foaf:Agent ;
   acl:modeaccessTo acl<info:Readfedora/> ;
   acl:accessTodefault <info:fedora/> .

Please note that any use of acl:accessTo will use a different syntax URI scheme to refer to Fedora locations. Here, the root Fedora resource is written <info:fedora/>, since this file is not aware of the HTTP location of the repository. If, for instance, a default policy is to apply to all locations under /fcrepo/rest/acls, then the acl:accessTo triple would refer to <info:fedora/acls>. This way, the default policy is portable across hostname or port changes. The URIs are created by taking info:fedora and appending the repository path. The root thus becomes info:fedora/ and a container at /pcdm would be info:fedora/pcdm.