--
You received this message because you are subscribed to the Google Groups "Fedora Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fedora-tech...@googlegroups.com.
To post to this group, send email to fedor...@googlegroups.com.
Visit this group at http://groups.google.com/group/fedora-tech.
For more options, visit https://groups.google.com/d/optout.
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
You received this message because you are subscribed to a topic in the Google Groups "Fedora Tech" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/fedora-tech/gCV_yLB3_Ck/unsubscribe.
To unsubscribe from this group and all its topics, send an email to fedora-tech...@googlegroups.com.
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
<user username="testImgUser" password="******" roles="fedoraUser"/>
<user username="testAVUser" password="******" roles="fedoraUser"/>
$ curl -u admin:****** -H 'Content-type: application/json' --data-binary '{"fedoraUser" : ["reader", "writer"]}' http://localhost:8180/fcrepo/rest/test/testObjAccess/fcr:accessrolesand
$ curl -u testImgUser:****** http://localhost:8180/fcrepo/rest/test/testObjAccessBut testImgUser still can't access the resource. It looks like that access policies can only be assigned to individual users, as per your example below.
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
Magritte: The Mystery of the Ordinary, 1926–1938
June 24–October 13, 2014
Members see it first. Join today.
Hi Stefano,Just checking this now, sorry for the late response. I think it is currently implemented that you configure using the ServletContainerAuthenticationProvider as the authenticationProvider. You can then add users using the fcr:accessRoles endpoint to an object or place in the object hierarchy. If you set the fad to BasicRolesAuthorizationDelegate, it will try to match the user in your tomcat-users as a principal to the users you define via fcr:accessRoles on the object or object hierarchy. The BasicRolesAuthorizationDelegate then makes a decision based on whether the accessRoles principal is set to admin|reader|writer. Based on some recent changes to the ServletContainerAuthenticationProvider, I don't think it matters what the tomcat-users.xml roles is other than it is not fedoraAdmin.
Someone please correct me if I'm mistaken.
-Eric
https://wiki.duraspace.org/display/FF/Authentication+and+Authorization#AuthenticationandAuthorization-AccessRolesModule
https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-roles-basic/src/main/java/org/fcrepo/auth/roles/basic/BasicRolesAuthorizationDelegate.java
https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/ServletContainerAuthenticationProvider.java
On Tue, Jun 10, 2014 at 12:37 PM, Stefano Cossu <sco...@artic.edu> wrote:
Can somebody give me some pointers on how to add the roles I have defined in my tomcat-users.xml to my Fedora principals?I see there is a ContainerRolesPrincipalProvider class in the code but currently roles appear to be ignored. I can only assign policies to users.Do I have to include an explicit reference to this class somewhere in the configuration?
I set my repository.json and repo.xml according to https://wiki.duraspace.org/display/FF/Basic+Role-based+Authorization+Delegate
Thanks,Stefano
Stefano Cossu
Director of Application Services, Collections
The Art Institute of Chicago
116 S. Michigan Ave.
Chicago, IL 60603
312-499-4026
Magritte: The Mystery of the Ordinary, 1926–1938
June 24–October 13, 2014
Members see it first. Join today.