Richard,
I tried something like this a not too long ago with Fedora 3.5 in an attempt to
resolve an Islandora issue and found that while it initially seemed to produce
the desired result (no more authentication requirement from Fedora) I later
noticed that my SOAP-based ingest test code started to fail. I think I
eventually traced the root cause of the failure down to Fedora quietly throwing
an error because there was no recognizable user name to add to the audit trail.
There may have been a way around that that particular problem but I didn't know
what other "gotchas" might lay ahead. Even if I did manage to get this
configuration to work I don't know if I would have ever fully trusted this
configuration in a production setup.
Rick
From: Richard Shrake [mailto:[email protected]]
Sent: Tuesday, April 30, 2013 8:10 AM
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] change existing repository from fesl to legacy
I encountered a problem in that there was no <filter-mapping> element for the
filters starting with XmlUserfileFilter in my web.xml - the documentation for
configuring the web.xml in Islandora indicates that this should exist. Can I
just add those elements or will that mess up some other stuff?
On Mon, Apr 29, 2013 at 1:02 PM, Richard Shrake
<[email protected]<mailto:[email protected]>> wrote:
Thanks very much. I'll give this a whirl. I appreciate the detailed response!
On Mon, Apr 29, 2013 at 12:55 PM, Scott Prater
<[email protected]<mailto:[email protected]>> wrote:
Richard,
I believe (though I haven't ever tested this out) that you'll need to
modify the fedora/WEB-INF/web.xml file in your webapp container to
specify the legacy filters (before AuthFilterJAAS, in this order):
<filter>
<filter-name>SetupFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterSetup</filter-class>
</filter>
<filter>
<filter-name>XmlUserfileFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>
</filter>
<filter>
<filter-name>RestApiAuthnFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiAuthn</filter-class>
</filter>
<filter>
<filter-name>RestApiFlashFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiFlash</filter-class>
</filter>
<filter>
<filter-name>EnforceAuthnFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterEnforceAuthn</filter-class>
</filter>
<filter>
<filter-name>FinalizeFilter</filter-name>
<filter-class>org.fcrepo.server.security.servletfilters.FilterFinalize</filter-class>
</filter>
And then you'll need to enable to XACML authentication in fedora.fcfg:
<module role="org.fcrepo.server.security.Authorization"
class="org.fcrepo.server.security.DefaultAuthorization">
<comment>Builds and manages Fedora's authorization structure.</comment>
<param name="REPOSITORY-POLICIES-DIRECTORY"
value="data/fedora/fedora-xacml-policies/repository-policies"
isFilePath="true"/>
<param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
value="/data/fedora/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
isFilePath="true">
<comment>This parameter is for future use.</comment>
</param>
<param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
<param name="ENFORCE-MODE" value="enforce-policies"/>
<!-- <param name="ENFORCE-MODE" value="permit-all-requests"/> -->
<param name="POLICY-SCHEMA-PATH"
value="xsd/cs-xacml-schema-policy-01.xsd"/>
<param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
<param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
<param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
</module>
And I think (though I'm not sure) that you'll need to turn off backend
security, if it's turned on:
<module role="org.fcrepo.server.security.BackendSecurity"
class="org.fcrepo.server.security.DefaultBackendSecurity">
<comment>Description: Interface to the backend service security
configuration. This module initializes backend service
security
information in the server by parsing the beSecurity
configuration file.
This file is located in the distribution in
$FEDORA_HOME/dist/server/config/beSecurity.xml. The
configuration file
is read once at server startup.</comment>
<param name="beSecurity_validation" value="false">
<comment>Controls whether beSecurity config file is validated
against the beSecurityDescription schema. The
default is
"false". Valid values are
"true" or
"false".</comment>
</param>
And that should get you to a legacy state.
Note that if you have
<param name="ENFORCE-MODE" value="enforce-policies"/>
set, more than likely you'll need to override some of the default policies:
https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES
Note: I haven't tried rolling back to legacy authentication before, so
your mileage may vary. You may want to copy your current Fedora
installation to another directory or host, then play with it there.
-- Scott
On 04/29/2013 10:44 AM, Richard Shrake wrote:
> Scott, that's correct. I have seen lots of guidance on disabling FESL
> authorization, but none on authentication. We're running 3.4.2.
>
> Thanks.
>
>
> On Mon, Apr 29, 2013 at 11:32 AM, Scott Prater
> <[email protected]<mailto:[email protected]>
> <mailto:[email protected]<mailto:[email protected]>>> wrote:
>
> Richard,
>
> Just to confirm: you want to disable FeSL authentication, not FeSL
> authorization, correct?
>
> What version of Fedora are you running?
>
> -- Scott
>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
>
>
>
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
Scott Prater
Shared Development Group
General Library System
University of Wisconsin - Madison
[email protected]<mailto:[email protected]>
5-5415
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Fedora-commons-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA 19106-3386
Tel. (215) 440-3409<tel:%28215%29%20440-3409>
[email protected]<mailto:[email protected]>
Main Library number: (215)440-3400<tel:%28215%29440-3400>
APS website: www.amphilsoc.org<http://www.amphilsoc.org>
--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA 19106-3386
Tel. (215) 440-3409
[email protected]<mailto:[email protected]>
Main Library number: (215)440-3400
APS website: www.amphilsoc.org<http://www.amphilsoc.org>
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
