...
Note: Use of a PEP and Fedora-specific authorization are options. You can also configure Fedora to run without API security. You may want to only enforcing container authentication or leave the service running completely unsecured, behind a firewall for instance. For details see How to configure Fedora without authorization.
Fedora Administrators (fedoraAdmin user role)
The PEP is not consulted when servlet credentials identify a client with the fedoraAdmin role. When the container has authenticated the connected client as a fedoraAdmin, all actions are permitted and we bypass the PEP completely.
PEP Implementions
The PEP is an extension point for which there are several reference implementations available:
...
You also have the option of creating your own PEP implementation and performing security checks differently, possibly including calls to remote services. For guidelines on implementing the PEP extension point, please see How to implement a Fedora Policy Enforcement Point (PEP).
Step-by-step:
- Open the repo.xml file in your Fedora web application.
- Add your PEP implementation as a bean in this file and give it the id of "pep". Your PEP bean may include more specific configuration details than the example.
- Now add the Fedora ModeShape Authorization Provider bean. (see repo.xml example)
- Make sure that your modeshapeRepofactory bean has the depends-on attribute pointing at the authenticationProvider (see repo.xml example).
- Open your repository.json file.
- Add org.fcrepo.auth.ServletContainerAuthenticationProvider as a provider in the security section. (see repository.json example)
Example repo.xml (repository and security beans)
<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean" <bean name="pep" class="your.own.implementation.PEP"/> <bean name="authenticationProvider" class="org.fcrepo.auth.ServletContainerAuthenticationProvider"> |
|---|
Example repository.json (security section)
"security" : { |
|---|