...
- Researcher control the polices on their own objects
- Distributed authentication and authorization
- University of North Carolina at Chapel Hill
- Unified Authorization
- Setting Individual Permissions
- Yale University
- Fedora managing access conditions
- Programmers use API for access condition support in external systems, i.e. HydraTitle (goal)
- Applications use API for updating access conditions stored in Fedora
- University of Wisconsin - Madison
- Islandora
- Hydra
- Avalon Media System
...
Container Authentication
User authentication is generally handled by the Servlet container, i.e. Tomcat, JBoss AS, Jetty, etc. Authenticated requests will arrive at Fedora servlets with a non-null values for getRemoteUser() and getUserPrincipal().
Fedora users may have the following servlet container roles of either fedoraUser or fedoraAdmin.
- fedoraAdmin - Grants superuser permissions to the the Fedora repository. Bypasses the configured policy enforcement point (PEP).
- fedoraUser - Grants permissions based on the configured The policy enforcement point (PEP) grants permissions on the basis of this authenticated user and the credentials on the request.
- fedoraProxy - The policy enforcement point (PEP) , see authorization belowgrants permissions on the basis of end-user security credentials that are forwarded via extended request headers.
Info | ||
---|---|---|
| ||
Implementations may configure the servlet container to employ any user authentication mechanism that meets specifications. This is container-specific, but usually includes JAAS, LDAP, CAS, Shibboleth, etc.. |
...
- In servlet container authentication, forwarding with require the container role of "forwardCredentials" fedoraProxy.
- In OAuth token authentication, the token must include the scope "forwardCredentials".
Establishing JCR Sessions
...