Hello!
I have been researching the Islandora Drupal Filter and have found out
that it explicitly only takes roles from Drupal and passes on to
Fedora, along with the username trying to log in. This is in some
cases not enough information to authorize users to specific data
through FeSL or the old XACML.
I have modified the Islandora Drupal Filter to take more information
and pass on to Fedora, which is determined from the columns fetched
through filter-drupal.xml. It takes all columns apart from, userid,
password and name, since they are already set, and creates attributes
with values determined by the column label.
I have added my modified source here:
https://github.com/Cheesebaron/Islandora_Drupal_Filter
Reproduction steps (Fedora installation is a prerequisite, I used it
with FeSL):
*1. Add following lines to fedora-auth {...} in the file $FEDORA_HOME/
server/config/jaas.conf:*
ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
debug=true;
the section should now look like this:
fedora-auth
{
org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule
required
debug=true;
ca.upei.roblib.fedora.servletfilter.DrupalAuthModule required
debug=true;
};
*2: Enable the servlet filter by creating a file filter-drupal.xml in
$FEDORA_HOME/server/config*
Use the filter-drupal.xml file provided, or use mine as an example,
make sure you have the same profile_fields as I have or SQL query wont
work.
*3: Make sure you have a mysql connector for tomcat, if not get it
here:
http://dev.mysql.com/downloads/connector/j/*
Place it in $CATALINA_HOME/webapps/fedora/WEB-INF/lib
*4: Pull my code from git and compile it*
mvn install
Then place the generated jar file in target to $CATALINA_HOME/webapps/
fedora/WEB-INF/lib
If maven complains about pom files which it is not able to locate, you
might have to compile the entire fcrepo and generate generic pom
files. Which is done like this:
Instructions on compiling fcrepo are found here:
https://github.com/fcrepo/fcrepo/blob/master/README
Generating generic pom files are done like this:
mvn install:install-file -Dfile=<path/to/jar> -DgroupId=your.groupId -
DartifactId=your-artifactId -Dversion=version -Dpackaging=jar -
DgeneratePom=true
Now you should be able to compile my code. Put the generated .jar file
in target in: $CATALINA_HOME/webapps/fedora/WEB-INF/lib
To see which attributes a user has authenticate against Fedora with
your drupal username and the password hash value from the database, I
did it by going to /fedora/object and pressing search. Then going to /
fedora/user lets you show the authenticated users attributes.
With the filter-drupal.xml file supplied with my modified source code
this is the result:
<user id="KED">
<attribute name="Host"/>
<attribute name="role">
<value>administrator</value>
<value>authenticated user</value>
<value>local editor</value>
</attribute>
<attribute name="fedoraRole">
<value>administrator</value>
<value>authenticated user</value>
<value>local editor</value>
</attribute>
<attribute name="Orgid">
<value>200</value>
</attribute>
</user>
The attribute names will use the label provided in the filter-
drupal.xml, the implementation is limited by that ALL names must have
a label.
I hope this will be useful to someone, or maybe you might consider
merging it upstream as it might be useful to other people using Drupal
along with Fedora and want to authorize against additional attributes.
--
Best regards
Tomasz Cielecki