Thanks very much. I'll give this a whirl. I appreciate the detailed
response!
On Mon, Apr 29, 2013 at 12:55 PM, Scott Prater <[email protected]> wrote:
> Richard,
>
> I believe (though I haven't ever tested this out) that you'll need to
> modify the fedora/WEB-INF/web.xml file in your webapp container to
> specify the legacy filters (before AuthFilterJAAS, in this order):
>
> <filter>
> <filter-name>SetupFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.FilterSetup</filter-class>
> </filter>
> <filter>
> <filter-name>XmlUserfileFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>
> </filter>
> <filter>
> <filter-name>RestApiAuthnFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiAuthn</filter-class>
> </filter>
> <filter>
> <filter-name>RestApiFlashFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiFlash</filter-class>
> </filter>
> <filter>
> <filter-name>EnforceAuthnFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.FilterEnforceAuthn</filter-class>
> </filter>
> <filter>
> <filter-name>FinalizeFilter</filter-name>
>
>
> <filter-class>org.fcrepo.server.security.servletfilters.FilterFinalize</filter-class>
> </filter>
>
> And then you'll need to enable to XACML authentication in fedora.fcfg:
>
> <module role="org.fcrepo.server.security.Authorization"
> class="org.fcrepo.server.security.DefaultAuthorization">
> <comment>Builds and manages Fedora's authorization
> structure.</comment>
> <param name="REPOSITORY-POLICIES-DIRECTORY"
> value="data/fedora/fedora-xacml-policies/repository-policies"
> isFilePath="true"/>
> <param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
>
> value="/data/fedora/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
> isFilePath="true">
> <comment>This parameter is for future use.</comment>
> </param>
> <param name="XACML-COMBINING-ALGORITHM"
> value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
> <param name="ENFORCE-MODE" value="enforce-policies"/>
> <!-- <param name="ENFORCE-MODE" value="permit-all-requests"/> -->
> <param name="POLICY-SCHEMA-PATH"
> value="xsd/cs-xacml-schema-policy-01.xsd"/>
> <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
> <param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
> <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
> </module>
>
> And I think (though I'm not sure) that you'll need to turn off backend
> security, if it's turned on:
>
> <module role="org.fcrepo.server.security.BackendSecurity"
> class="org.fcrepo.server.security.DefaultBackendSecurity">
> <comment>Description: Interface to the backend service security
> configuration. This module initializes backend service
> security
> information in the server by parsing the beSecurity
> configuration file.
> This file is located in the distribution in
> $FEDORA_HOME/dist/server/config/beSecurity.xml. The
> configuration file
> is read once at server startup.</comment>
> <param name="beSecurity_validation" value="false">
> <comment>Controls whether beSecurity config file is validated
> against the beSecurityDescription schema. The
> default is
> "false". Valid values are
> "true" or
> "false".</comment>
> </param>
>
> And that should get you to a legacy state.
>
> Note that if you have
>
> <param name="ENFORCE-MODE" value="enforce-policies"/>
>
> set, more than likely you'll need to override some of the default policies:
>
>
> https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES
>
> Note: I haven't tried rolling back to legacy authentication before, so
> your mileage may vary. You may want to copy your current Fedora
> installation to another directory or host, then play with it there.
>
> -- Scott
>
> On 04/29/2013 10:44 AM, Richard Shrake wrote:
> > Scott, that's correct. I have seen lots of guidance on disabling FESL
> > authorization, but none on authentication. We're running 3.4.2.
> >
> > Thanks.
> >
> >
> > On Mon, Apr 29, 2013 at 11:32 AM, Scott Prater <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > Richard,
> >
> > Just to confirm: you want to disable FeSL authentication, not FeSL
> > authorization, correct?
> >
> > What version of Fedora are you running?
> >
> > -- Scott
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring
> service
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt!
> http://p.sf.net/sfu/newrelic_d2d_apr
> >
> >
> >
> > _______________________________________________
> > Fedora-commons-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >
>
>
> --
> Scott Prater
> Shared Development Group
> General Library System
> University of Wisconsin - Madison
> [email protected]
> 5-5415
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA 19106-3386
Tel. (215) 440-3409
[email protected]
Main Library number: (215)440-3400
APS website: www.amphilsoc.org
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
