...
Fedora uses two container roles to determine its authorization behavior. The superuser role is fedoraAdmin. Users with this role are not subject to any further authorization checks, and thus can perform any operations on the repository. This is comparable to the fedoraAdmin superuser role in Fedora 3, used for Fedora 3 API-M operations. The regular user role is fedoraUser. Users with this role are subject to authorization checks by the Web Access Control system. The exact permissions any regular user has are determined per request by looking at the effective ACL of the requested resource, the requesting user's security principals, and the nature of the request (HTTP method, content-type, etc.).
Configure your web
...
application container
Jetty
- Create a $JETTY_BASE/etc/
Note |
---|
The "auth-constraint" element must contain the roles defined as your users (see below for jetty and tomcat). |
If you are using the Fedora war, auth is enabled by default, and no changes to the web.xml are needed.
If you are using the Jetty one-click jar, auth is disabled by default, and you will need to provide a new web.xml file to Jetty. To do this:
- Create a copy of this web.xml
- Override the default web.xml by adding a descriptor tag to your jetty.xml. For example:
Code Block | ||||
---|---|---|---|---|
| ||||
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath">/</Set>
<Set name="descriptor">/path/to/new/web.xml</Set>
</Configure> |
Configure your web application container
Jetty
- Create your jetty-users.properties file. This file contains entries in the format username: password [, role, ...], where
- username is the user's login id (the principal)
- password is the user's password
- role is the servlet role they are assigned upon login; jetty allows you to specify any number of roles (or no role at all).
- Sample jetty-users.properties file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:
Code Block | ||
---|---|---|
| ||
testuser: password1,fedoraUser adminuser: password2,fedoraUser fedoraAdmin: secret3fedoraAdmin,fedoraAdmin |
- Configure your Jetty login realm.
Standalone: Modify your jetty $JETTY_BASE/webapp/fcrepo.xml file to configure the login realm and include the jetty-users.properties file:
Code Block language xml title jetty.xml login service <Configure class="org.eclipse.jetty.webapp.WebAppContext"> <!-- Set this to the webapp root of your Fedora 4 repository --> <Set name="contextPath">/</Set> <!-- Set this to the path of of fcrepo4 WAR file --> <Set name="war"><SystemProperty name="jetty.homebase" default="."/>/webapps/fcrepo4<fcrepo.war</Set> <Get name="securityHandler"> <Set name="loginService"> <New class="org.eclipse.jetty.security.HashLoginService"> <Set name="name">fcrepo4<>fcrepo</Set> <!-- Set this to the path to your jetty-users.properties file --> <Set name="config"><SystemProperty name="jetty.homebase" default="."/>/path/toetc/jetty-users.properties</Set> </New> </Set> </Get> </Configure>
Embedded in Maven: The fcrepo-webapp Maven project includes jetty-maven-plugin. The property jetty.users.file sets the location of the jetty-users.properties file. Run the fcrepo-webapp server with the following system property:
...
- Create or edit your
$CATALINA_HOME/conf/tomcat-users.xml
file. It has entries of the form<user name="principal" password="password" roles="role1, role2, ..." />
where:
- name is the user's login id (the principal)
- password is the user's password
- roles are the servlet roles they are assigned upon login; tomcat allows you to specify any number of roles (or no role at all).
Sample tomcat-users.xml file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:
Code Block language xml title tomcat-users.xml <tomcat-users> <role rolename="fedoraUser" /> <role rolename="fedoraAdmin" /> <user name="testuser" password="password1" roles="fedoraUser" /> <user name="adminuser" password="password2" roles="fedoraUser" /> <user name="fedoraAdmin" password="secret3fedoraAdmin" roles="fedoraAdmin" /> </tomcat-users>
...