I encountered a problem in that there was no <filter-mapping> element for
the filters starting with XmlUserfileFilter in my web.xml - the
documentation for configuring the web.xml in Islandora indicates that this
should exist. Can I just add those elements or will that mess up some other
stuff?
On Mon, Apr 29, 2013 at 1:02 PM, Richard Shrake <[email protected]>wrote:
> Thanks very much. I'll give this a whirl. I appreciate the detailed
> response!
>
>
> On Mon, Apr 29, 2013 at 12:55 PM, Scott Prater <[email protected]> wrote:
>
>> Richard,
>>
>> I believe (though I haven't ever tested this out) that you'll need to
>> modify the fedora/WEB-INF/web.xml file in your webapp container to
>> specify the legacy filters (before AuthFilterJAAS, in this order):
>>
>> <filter>
>> <filter-name>SetupFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.FilterSetup</filter-class>
>> </filter>
>> <filter>
>> <filter-name>XmlUserfileFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>
>> </filter>
>> <filter>
>> <filter-name>RestApiAuthnFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiAuthn</filter-class>
>> </filter>
>> <filter>
>> <filter-name>RestApiFlashFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiFlash</filter-class>
>> </filter>
>> <filter>
>> <filter-name>EnforceAuthnFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.FilterEnforceAuthn</filter-class>
>> </filter>
>> <filter>
>> <filter-name>FinalizeFilter</filter-name>
>>
>>
>> <filter-class>org.fcrepo.server.security.servletfilters.FilterFinalize</filter-class>
>> </filter>
>>
>> And then you'll need to enable to XACML authentication in fedora.fcfg:
>>
>> <module role="org.fcrepo.server.security.Authorization"
>> class="org.fcrepo.server.security.DefaultAuthorization">
>> <comment>Builds and manages Fedora's authorization
>> structure.</comment>
>> <param name="REPOSITORY-POLICIES-DIRECTORY"
>> value="data/fedora/fedora-xacml-policies/repository-policies"
>> isFilePath="true"/>
>> <param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
>>
>> value="/data/fedora/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
>> isFilePath="true">
>> <comment>This parameter is for future use.</comment>
>> </param>
>> <param name="XACML-COMBINING-ALGORITHM"
>> value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
>> <param name="ENFORCE-MODE" value="enforce-policies"/>
>> <!-- <param name="ENFORCE-MODE" value="permit-all-requests"/> -->
>> <param name="POLICY-SCHEMA-PATH"
>> value="xsd/cs-xacml-schema-policy-01.xsd"/>
>> <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
>> <param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
>> <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM"
>> value="false"/>
>> </module>
>>
>> And I think (though I'm not sure) that you'll need to turn off backend
>> security, if it's turned on:
>>
>> <module role="org.fcrepo.server.security.BackendSecurity"
>> class="org.fcrepo.server.security.DefaultBackendSecurity">
>> <comment>Description: Interface to the backend service security
>> configuration. This module initializes backend service
>> security
>> information in the server by parsing the beSecurity
>> configuration file.
>> This file is located in the distribution in
>> $FEDORA_HOME/dist/server/config/beSecurity.xml. The
>> configuration file
>> is read once at server startup.</comment>
>> <param name="beSecurity_validation" value="false">
>> <comment>Controls whether beSecurity config file is validated
>> against the beSecurityDescription schema. The
>> default is
>> "false". Valid values are
>> "true" or
>> "false".</comment>
>> </param>
>>
>> And that should get you to a legacy state.
>>
>> Note that if you have
>>
>> <param name="ENFORCE-MODE" value="enforce-policies"/>
>>
>> set, more than likely you'll need to override some of the default
>> policies:
>>
>>
>> https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES
>>
>> Note: I haven't tried rolling back to legacy authentication before, so
>> your mileage may vary. You may want to copy your current Fedora
>> installation to another directory or host, then play with it there.
>>
>> -- Scott
>>
>> On 04/29/2013 10:44 AM, Richard Shrake wrote:
>> > Scott, that's correct. I have seen lots of guidance on disabling FESL
>> > authorization, but none on authentication. We're running 3.4.2.
>> >
>> > Thanks.
>> >
>> >
>> > On Mon, Apr 29, 2013 at 11:32 AM, Scott Prater <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > Richard,
>> >
>> > Just to confirm: you want to disable FeSL authentication, not FeSL
>> > authorization, correct?
>> >
>> > What version of Fedora are you running?
>> >
>> > -- Scott
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Try New Relic Now & We'll Send You this Cool Shirt
>> > New Relic is the only SaaS-based application performance monitoring
>> service
>> > that delivers powerful full stack analytics. Optimize and monitor your
>> > browser, app, & servers with just a few lines of code. Try New Relic
>> > and get this awesome Nerd Life shirt!
>> http://p.sf.net/sfu/newrelic_d2d_apr
>> >
>> >
>> >
>> > _______________________________________________
>> > Fedora-commons-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >
>>
>>
>> --
>> Scott Prater
>> Shared Development Group
>> General Library System
>> University of Wisconsin - Madison
>> [email protected]
>> 5-5415
>>
>>
>> ------------------------------------------------------------------------------
>> Try New Relic Now & We'll Send You this Cool Shirt
>> New Relic is the only SaaS-based application performance monitoring
>> service
>> that delivers powerful full stack analytics. Optimize and monitor your
>> browser, app, & servers with just a few lines of code. Try New Relic
>> and get this awesome Nerd Life shirt!
>> http://p.sf.net/sfu/newrelic_d2d_apr
>> _______________________________________________
>> Fedora-commons-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>
>
>
>
> --
> Richard Shrake
> Associate Librarian for Technical Services
> American Philosophical Society
> 105 South Fifth Street
> Philadelphia, PA 19106-3386
> Tel. (215) 440-3409
> [email protected]
> Main Library number: (215)440-3400
> APS website: www.amphilsoc.org
>
--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA 19106-3386
Tel. (215) 440-3409
[email protected]
Main Library number: (215)440-3400
APS website: www.amphilsoc.org
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
