Richard,

I tried something like this a not too long ago with Fedora 3.5 in an attempt to resolve an Islandora issue and found that while it initially seemed to produce the desired result (no more authentication requirement from Fedora) I later noticed that my SOAP-based ingest test code started to fail. I think I eventually traced the root cause of the failure down to Fedora quietly throwing an error because there was no recognizable user name to add to the audit trail. There may have been a way around that that particular problem but I didn’t know what other “gotchas” might lay ahead. Even if I did manage to get this configuration to work I don’t know if I would have ever fully trusted this configuration in a production setup.

 

 

Rick

 

 

From: Richard Shrake [mailto:rshrake@amphilsoc.org]
Sent: Tuesday, April 30, 2013 8:10 AM
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] change existing repository from fesl to legacy

 

I encountered a problem in that there was no <filter-mapping> element for the filters starting with XmlUserfileFilter in my web.xml - the documentation for configuring the web.xml in Islandora indicates that this should exist. Can I just add those elements or will that mess up some other stuff?

 

On Mon, Apr 29, 2013 at 1:02 PM, Richard Shrake <rshrake@amphilsoc.org> wrote:

Thanks very much. I'll give this a whirl. I appreciate the detailed response!

 

On Mon, Apr 29, 2013 at 12:55 PM, Scott Prater <prater@wisc.edu> wrote:

Richard,

I believe (though I haven't ever tested this out) that you'll need to
modify the fedora/WEB-INF/web.xml file in your webapp container to
specify the legacy filters (before AuthFilterJAAS, in this order):

<filter>
       <filter-name>SetupFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.FilterSetup</filter-class>
     </filter>
     <filter>
       <filter-name>XmlUserfileFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile</filter-class>
     </filter>
     <filter>
       <filter-name>RestApiAuthnFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiAuthn</filter-class>
     </filter>
     <filter>
       <filter-name>RestApiFlashFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.FilterRestApiFlash</filter-class>
     </filter>
     <filter>
       <filter-name>EnforceAuthnFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.FilterEnforceAuthn</filter-class>
     </filter>
     <filter>
       <filter-name>FinalizeFilter</filter-name>

<filter-class>org.fcrepo.server.security.servletfilters.FilterFinalize</filter-class>
     </filter>

And then you'll need to enable to XACML authentication in fedora.fcfg:

<module role="org.fcrepo.server.security.Authorization"
class="org.fcrepo.server.security.DefaultAuthorization">
     <comment>Builds and manages Fedora's authorization structure.</comment>
     <param name="REPOSITORY-POLICIES-DIRECTORY"
value="data/fedora/fedora-xacml-policies/repository-policies"
isFilePath="true"/>
     <param name="REPOSITORY-POLICY-GUITOOL-POLICIES-DIRECTORY"
value="/data/fedora/fedora-xacml-policies/repository-policies-generated-by-policyguitool"
isFilePath="true">
       <comment>This parameter is for future use.</comment>
     </param>
     <param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
     <param name="ENFORCE-MODE" value="enforce-policies"/>
<!--    <param name="ENFORCE-MODE" value="permit-all-requests"/> -->
     <param name="POLICY-SCHEMA-PATH"
value="xsd/cs-xacml-schema-policy-01.xsd"/>
     <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
     <param name="VALIDATE-OBJECT-POLICIES-FROM-FILE" value="false"/>
     <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
   </module>

And I think (though I'm not sure) that you'll need to turn off backend
security, if it's turned on:

<module role="org.fcrepo.server.security.BackendSecurity"
class="org.fcrepo.server.security.DefaultBackendSecurity">
     <comment>Description: Interface to the backend service security
                 configuration. This module initializes backend service
security
                 information in the server by parsing the beSecurity
configuration file.
                 This file is located in the distribution in
                 $FEDORA_HOME/dist/server/config/beSecurity.xml. The
configuration file
                 is read once at server startup.</comment>
     <param name="beSecurity_validation" value="false">
       <comment>Controls whether beSecurity config file is validated
                         against the beSecurityDescription schema. The
default is
                         &quot;false&quot;. Valid values are
&quot;true&quot; or
                         &quot;false&quot;.</comment>
     </param>

And that should get you to a legacy state.

Note that if you have

<param name="ENFORCE-MODE" value="enforce-policies"/>

set, more than likely you'll need to override some of the default policies:

https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES

Note:  I haven't tried rolling back to legacy authentication before, so
your mileage may vary.  You may want to copy your current Fedora
installation to another directory or host, then play with it there.

-- Scott


On 04/29/2013 10:44 AM, Richard Shrake wrote:
> Scott, that's correct. I have seen lots of guidance on disabling FESL
> authorization, but none on authentication. We're running 3.4.2.
>
> Thanks.
>
>
> On Mon, Apr 29, 2013 at 11:32 AM, Scott Prater <prater@wisc.edu

> <mailto:prater@wisc.edu>> wrote:
>
>     Richard,
>
>     Just to confirm:  you want to disable FeSL authentication, not FeSL
>     authorization, correct?
>
>     What version of Fedora are you running?
>
>     -- Scott
>
>
>

> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
>
>
>
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>


--
Scott Prater
Shared Development Group
General Library System
University of Wisconsin - Madison
prater@wisc.edu
5-5415

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users



--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA  19106-3386
Tel. (215) 440-3409
rshrake@amphilsoc.org

Main Library number: (215)440-3400
APS website:  www.amphilsoc.org




--
Richard Shrake
Associate Librarian for Technical Services
American Philosophical Society
105 South Fifth Street
Philadelphia, PA  19106-3386
Tel. (215) 440-3409
rshrake@amphilsoc.org
Main Library number: (215)440-3400
APS website:  www.amphilsoc.org