Versions Compared

Old Version 4

changes.mady.by.user Peter Winckles

Saved on

compared with

New Version 5

changes.mady.by.user Peter Winckles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Fedora uses two container roles to determine its authorization behavior. The superuser role is fedoraAdmin. Users with this role are not subject to any further authorization checks, and thus can perform any operations on the repository. This is comparable to the fedoraAdmin superuser role in Fedora 3, used for Fedora 3 API-M operations. The regular user role is fedoraUser. Users with this role are subject to authorization checks by the Web Access Control system. The exact permissions any regular user has are determined per request by looking at the effective ACL of the requested resource, the requesting user's security principals, and the nature of the request (HTTP method, content-type, etc.).

Configure your web

...

application container

Jetty

  • Create a $JETTY_BASE/etc/
Note
The "auth-constraint" element must contain the roles defined as your users (see below for jetty and tomcat).

If you are using the Fedora war, auth is enabled by default, and no changes to the web.xml are needed.

If you are using the Jetty one-click jar, auth is disabled by default, and you will need to provide a new web.xml file to Jetty. To do this:

  1. Create a copy of this web.xml
  2. Override the default web.xml by adding a descriptor tag to your jetty.xml. For example:
Code Block
languagexml
titlejetty.xml
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="contextPath">/</Set>
  <Set name="descriptor">/path/to/new/web.xml</Set>
</Configure>

Configure your web application container

Jetty

  • Create your jetty-users.properties file.  This file contains entries in the format username:  password [, role, ...], where
    • username is the user's login id (the principal)
    • password is the user's password
    • role is the servlet role they are assigned upon login;  jetty allows you to specify any number of roles (or no role at all).
  • Sample jetty-users.properties file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:
Code Block
titlejetty-users.properties
testuser: password1,fedoraUser
adminuser: password2,fedoraUser
fedoraAdmin: secret3fedoraAdmin,fedoraAdmin
  • Configure your Jetty login realm.

    • Standalone: Modify your jetty $JETTY_BASE/webapp/fcrepo.xml file to configure the login realm and include the jetty-users.properties file:

      Code Block
      languagexml
      titlejetty.xml login service
      <Configure class="org.eclipse.jetty.webapp.WebAppContext">
  
  <!-- Set this to the webapp root of your Fedora 4 repository -->
  <Set name="contextPath">/</Set>
  <!-- Set this to the path of of fcrepo4 WAR file -->
  <Set name="war"><SystemProperty name="jetty.homebase" default="."/>/webapps/fcrepo4<fcrepo.war</Set>
 
  <Get name="securityHandler">
    <Set name="loginService">
      <New class="org.eclipse.jetty.security.HashLoginService">
        <Set name="name">fcrepo4<>fcrepo</Set>
        <!-- Set this to the path to your jetty-users.properties file -->
        <Set name="config"><SystemProperty name="jetty.homebase" default="."/>/path/toetc/jetty-users.properties</Set>
      </New>
    </Set>
  </Get>
 
</Configure>


    • Embedded in Maven: The fcrepo-webapp Maven project includes jetty-maven-plugin. The property jetty.users.file sets the location of the jetty-users.properties file. Run the fcrepo-webapp server with the following system property:

...

  • Create or edit your $CATALINA_HOME/conf/tomcat-users.xml file.  It has entries of the form
     <user name="principal" password="password" roles="role1, role2, ..." />

    where:

    • name is the user's login id (the principal)
    • password is the user's password
    • roles are the servlet roles they are assigned upon login;  tomcat allows you to specify any number of roles (or no role at all).

    Sample tomcat-users.xml file that contains three users, two of whom are regular users, and the third of whom (fedoraAdmin) is a Fedora superuser:

    Code Block
    languagexml
    titletomcat-users.xml
    <tomcat-users>
  <role rolename="fedoraUser" />
  <role rolename="fedoraAdmin" />
  <user name="testuser" password="password1" roles="fedoraUser" />
  <user name="adminuser" password="password2" roles="fedoraUser" />
  <user name="fedoraAdmin" password="secret3fedoraAdmin" roles="fedoraAdmin" />
</tomcat-users>


...