Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Fedora Authorization Delegates allow you to implement one interface to enforce access control over your Fedora repository. This interface, FedoraAuthorizationDelegate, has callbacks that allow you to restrict ModeShape operations and filter search results. After following these configuration steps, Fedora's REST endpoints will respond with 403 response codes when the requested action is unauthorized by the authorization delegate.

Note

Use of an authorization delegate and Fedora-specific authorization is optional. You can also configure Fedora to run without API security. You may want to only enforce container authentication or leave the service running completely unsecured, behind a firewall for instance. For details, see How to configure Fedora without authorization.

Fedora Administrators (fedoraAdmin user role)

The authorization delegate is not consulted when servlet credentials identify a client with the fedoraAdmin role. When the container has authenticated the connected client as a fedoraAdmin, all actions are permitted and PEP is bypassed.

FedoraAuthorizationDelegate Implementations

There are two three reference implementations available: 

You can also create an authorization delegate implementation and perform security checks differently, possibly including calls to remote services.

...