This documentation refers to an earlier version of Islandora. https://wiki.duraspace.org/display/ISLANDORA/Start is current.

1. Download the appropriate version of the Islandora Drupal Filter

Download the version of the Drupal Filter file that corresponds to your Fedora version, and copy it to $FEDORA_HOME/tomcat/webapps/fedora/WEB-INF/lib

Place the file in: 

$ wget https://github.com/Islandora/islandora_drupal_filter/releases/download/v7.1.3/fcrepo-drupalauthfilter-3.7.0.jar
$ cp -v fcrepo-drupalauthfilter-3.7.0.jar $FEDORA_HOME/tomcat/webapps/fedora/WEB-INF/lib

2. Make the Fedora Repository Aware of the New Filter

Navigate to $FEDORA_HOME/server/config and open the file jaas.conf in a text editor.
 
To allow the Drupal Servlet Filter to authenticate against Drupal’s database, replace the "fedora-auth" entry with the following lines that reference the DrupalServlet filters class files: 

fedora-auth
{
org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule required
debug=true;
ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
debug=true;
};

3. Configure the Drupal Servlet Filter

Create the file filter-drupal.xml in $FEDORA_HOME/server/config using the following text as a template (or download a sample file from https://raw.github.com/Islandora/islandora_drupal_filter/master/filter-drupal.xml), then modify the attributes of the <connection>  tag to match the server, port, database name, username and password of your site's Drupal database.

Fedora requires a separate <connection> entry for each connecting Drupal site.

 

The Drupal Filter does not currently escape the database url before attempting to connect to the Mysql database, which can cause problems if the user name or password has '%' symbol within it.


<?xml version="1.0" encoding="UTF-8"?>
<!--File to hold drupal connection info for the FilterDrupal servlet filter. For multisite drupal installs you can include multiple
connection elements.  We will query all the databases and assume any user in any drupal db with the same username and password are the same
user.  We will gather all roles for that user from all databases.  This is a potential security risk if a user in one drupal db has the same
username and password as another user in a separate drupaldb.  We are also assuming all drupal dbs to be mysql.  This file should be located
in the same directory as the fedora.cfcg file-->

<FilterDrupal_Connection>
  <connection server="localhost" dbname="[drupal_database]" user="[drupal_db_user]" password="[drupla_db_password]" port="3306">
    <sql>
                  <!--Different sql statement for each connection.  This is for drupal multisites that are setup using one database with
                  table prefixes.  We don't do this but some people might.-->
                  SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON
                  u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
    </sql>
  </connection>
</FilterDrupal_Connection>


If you use the Drupal servlet filter to connect to multiple Drupal databases there is potential for users with the same username in each database to access each others private objects. To avoid this, use the Drupal LDAP module. A Drupal multi-site environment utilizing the LDAP module for all sites ensures a unique username/site configuration.

4. Stop and Restart Fedora

This will enable the Drupal Servlet Filter.

$FEDORA_HOME/tomcat/bin/shutdown.sh

$FEDORA_HOME/tomcat/bin/startup.sh

5. Test the Drupal Servlet Filter

Islandora will test your Fedora connection for you. To verify that the servlet filter is working properly, go to the Islandora configuration page (admin/islandora/configure) and look for the green checkmark. A successful installation will look like this:

An unsuccessful installation will look like this:

If you see this error, there are two possible sources for the failure:

  • You do not have the correct fcrepo-drupalauthfilter-xxxx.jar
  • Your filter-drupal.xml is incorrect or missing
The islandora_drupal_filter passes the username of 'anonymous' through to Fedora for unauthenticated Drupal Users. A user with the name of 'anonymous' may have XACML policies applied to them that are meant to be applied to Drupal users that are not logged in or vice-versa. This is a potential security issue that can be plugged by creating a user named 'anonymous' and restricting access to the account.
  • No labels

For more information please visit https://islandora.ca