...
Fedora 4 will intercept JCR operations in order to enforce policies that are based on the Fedora object model and other node characteristics. While a single Fedora API call may span several JCR operations, these will be joined by a JCR transaction (for now, simply a JCR Session) and may all fail together due to a permission or validity check.
Policies will be stored in the repository attached to or in some (likely hierarchical) relationship to the nodes that they govern. Many nodes may attach the same named policy.
A custom SecurityContext class can implement the existing AuthorizationProvider or AdvancedAuthorizationProvider interfaces to implement specialized security checks through the hasPermission method.
- Best for enforcement policies based on Fedora structures, i.e. policies govern CRUD on the nodes/properties of the Fedora object
- It's the JCR way, secures the JCR API as well
- More security checks, but less complexity (consider SPARQL update, for instance)
- Cannot block the whole Fedora API method before execution (but we have transactions?)
MODE-1920 AccessManager API
Principal Discovery
Principals used in ACLs
...
Fedora Admin Authorization Module
...