Old Release

This documentation covers an old version of Fedora. Looking for another version? See all documentation.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

This feature is available in the Fedora 4 Alpha 2 release.

The Fedora Policy Enforcement Point Extension (PEP extension) allows you to implement one interface to enforce access control over your Fedora repository. This interface, the FedoraPolicyEnforcementPoint, has callbacks that allow you to restrict ModeShape operations and filter search results. After following these configuration steps, Fedora's REST endpoints will respond with 403 response codes when the requested action is unauthorized by the PEP.

Note: Use of a PEP and Fedora-specific authorization is optional. You can also configure Fedora to run without API security. You may want to only enforce container authentication or leave the service running completely unsecured, behind a firewall for instance. For details, see How to configure Fedora without authorization.

Fedora Administrators (fedoraAdmin user role)

The PEP is not consulted when servlet credentials identify a client with the fedoraAdmin role. When the container has authenticated the connected client as a fedoraAdmin, all actions are permitted and we bypass the PEP completely.

PEP Implementions

The PEP is an extension point for which there are several reference implementations available:

  • Basic Role-based PEP - A PEP that operates on three fixed roles that may be assigned throughout the repository tree. (reader, writer, admin)
  • Local XACML PEP - Enforces a set of XACML policies stored in the repository and linked to the repository tree. XACML engine is within the ModeShape JVM.
  • Local XACML Role-based PEP - Same as above, but includes support for arbitrary role assignment in the repository tree.

You also have the option of creating your own PEP implementation and performing security checks differently, possibly including calls to remote services. For guidelines on implementing the PEP extension point, please see How to implement a Fedora Policy Enforcement Point (PEP).

Step-by-step:

  1. Open the repo.xml file in your Fedora web application.
  2. Add your PEP implementation as a bean in this file and give it the id of "pep". Your PEP bean may include more specific configuration details than the example.
  3. Now add the Fedora ModeShape Authentication Provider bean. (see repo.xml example)
  4. Make sure that your modeshapeRepofactory bean has the depends-on attribute pointing at the authenticationProvider (see repo.xml example).
  5. Open your repository.json file.
  6. Add org.fcrepo.auth.ServletContainerAuthenticationProvider as a provider in the security section. (see repository.json example)

Example repo.xml (repository and security beans)

<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean"
  depends-on="authenticationProvider">
    <property name="repositoryConfiguration" value="${fcrepo.modeshape.configuration:repository.json}" />
</bean>
<bean name="pep" class="your.own.implementation.PEP"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.ServletContainerAuthenticationProvider">
  <property name="pep" ref="pep"/>
</bean>

Example repository.json (security section)

"security" : {
  "anonymous" : {
    "roles" : ["readonly","readwrite","admin"],
    "useOnFailedLogin" : false
  },
  "providers" : [
    { "classname" : "org.fcrepo.auth.ServletContainerAuthenticationProvider" }
  ]
},
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.