Richard,
I believe (though I haven't ever tested this out) that you'll need to
modify the fedora/WEB-INF/web.xml file in your webapp container to
specify the legacy filters (before AuthFilterJAAS, in this order):
<filter>
<filter-name>SetupFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterSetup</filter-class>
</filter>
<filter>
<filter-name>XmlUserfileFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>
</filter>
<filter>
<filter-name>RestApiAuthnFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiAuthn</filter-class>
</filter>
<filter>
<filter-name>RestApiFlashFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiFlash</filter-class>
</filter>
<filter>
<filter-name>EnforceAuthnFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterEnforceAuthn</filter-class>
</filter>
<filter>
<filter-name>FinalizeFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterFinalize</filter-class>
</filter>
And then you'll need to enable to XACML authentication in fedora.fcfg:
<module role="org.fcrepo.server.security.Authorization"
class="org.fcrepo.server.security.DefaultAuthorization">
<comment>Builds and manages Fedora's authorization structure.</comment>
<param name="REPOSITORY-POLICIES-DIRECTORY"
value="data/fedora/fedora-xacml-policies/repository-policies"
isFilePath="true"/>
<param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
value="/data/fedora/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
isFilePath="true">
<comment>This parameter is for future use.</comment>
</param>
<param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
<param name="ENFORCE-MODE" value="enforce-policies"/>
<!-- <param name="ENFORCE-MODE" value="permit-all-requests"/> -->
<param name="POLICY-SCHEMA-PATH"
value="xsd/cs-xacml-schema-policy-01.xsd"/>
<param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
<param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
<param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
</module>
And I think (though I'm not sure) that you'll need to turn off backend
security, if it's turned on:
<module role="org.fcrepo.server.security.BackendSecurity"
class="org.fcrepo.server.security.DefaultBackendSecurity">
<comment>Description: Interface to the backend service security
configuration. This module initializes backend service
security
information in the server by parsing the beSecurity
configuration file.
This file is located in the distribution in
$FEDORA_HOME/dist/server/config/beSecurity.xml. The
configuration file
is read once at server startup.</comment>
<param name="beSecurity_validation" value="false">
<comment>Controls whether beSecurity config file is validated
against the beSecurityDescription schema. The
default is
"false". Valid values are
"true" or
"false".</comment>
</param>
And that should get you to a legacy state.
Note that if you have
<param name="ENFORCE-MODE" value="enforce-policies"/>
set, more than likely you'll need to override some of the default policies:
https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES
Note: I haven't tried rolling back to legacy authentication before, so
your mileage may vary. You may want to copy your current Fedora
installation to another directory or host, then play with it there.
-- Scott
On 04/29/2013 10:44 AM, Richard Shrake wrote:
> Scott, that's correct. I have seen lots of guidance on disabling FESL
> authorization, but none on authentication. We're running 3.4.2.
>
> Thanks.
>
>
> On Mon, Apr 29, 2013 at 11:32 AM, Scott Prater <[email protected]
> <mailto:[email protected]>> wrote:
>
> Richard,
>
> Just to confirm: you want to disable FeSL authentication, not FeSL
> authorization, correct?
>
> What version of Fedora are you running?
>
> -- Scott
>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
>
>
>
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
Scott Prater
Shared Development Group
General Library System
University of Wisconsin - Madison
[email protected]
5-5415
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
