Current Release

This documentation covers the current version of Fedora. Looking for another version? See all documentation.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Fedora Principal Providers allow a Fedora repository to pull in user security and role designations from other sources (e.g. LDAP).

Principal Providers are implemented as servlet filters that are added to the Shiro filter chain between the initial authentication filter (ServletContainerAuthFilter) and the final authorization filter (WebACFilter).

Different derivatives of the PrincipalProvider class can be initialized differently, either through credential files, information sent via HTTP header, or by connecting to external information sources such as LDAP.

Configuration

Container Roles Principal Provider

ContainerRolesPrincipalProvider is a PrincpalProivder that obtains its set of principals from web.xml.

  1. Enable this provider by setting the configuration property fcrepo.auth.principal.roles.enabled to true.
  2. Set the fcrepo.auth.principal.roles.list to a comma separated list of roles
  3. Update your web.xml auth-constraint element to contain your custom roles

For example, your fcrepo.properties file might look like this:

fcrepo.properties
fcrepo.auth.principal.roles.enabled=true
fcrepo.auth.principal.roles.list=fedoraUser,fedoraAdmin,tomcat-role-1,tomcat-role-2

And your web.xml would be updated to look like this:

web.xml
<web-app>
  ...
  <security-constraint>
    ...
    <auth-constraint>
      <role-name>fedoraUser</role-name>
      <role-name>fedoraAdmin</role-name>
      <role-name>tomcat-role-1</role-name>
      <role-name>tomcat-role-2</role-name>
    </auth-constraint>
  </securty-constraint>
</web-app>

HTTP Header Principal Provider

HttpHeaderPrincipalProvider is a Principal Provider that obtains its initial set of principals from HTTP header requests.

Spring bean configuration
<!-- Optional PrincipalProvider that will inspect the request header, "some-header", for user role values -->
<bean name="headerProvider" class="org.fcrepo.auth.common.HttpHeaderPrincipalProvider">
  <property name="headerName" value="some-header"/>
  <property name="separator" value=","/>
</bean>

Delegate Header Principal Provider

DelegateHeaderPrincipalProvider is a Principal Provider that uses the On-Behalf-Of HTTP header to switch the user principal to the principal given in the header. This switch is only performed if the authenticated user has the fedoraAdmin container role.

Spring bean configuration
<bean name="delegatedPrincipalProvider" class="org.fcrepo.auth.common.DelegateHeaderPrincipalProvider"/>
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.