Respondent
Sandy Payette, Executive Director of Fedora Commons
Goal/Problem Space
Fedora - digital repository system (exposed as web services)
Features
Fedora: digital object model; management of content; versioning; RDF relationships, access and management via SOAP and REST APIs; associate services with objects ("disseminators"); preservation-enabling features; XACML policy enforcement; companion search service (supporting Lucene, Solr, Zebra); replication; pluggable storage layer.
Technology Stack
Java
Tomcat; Axis;
RDBMS for registry (tested with MySQL, Derby, Oracle, Postgres)
Home-grown plug-in framework; looking to move to OSGi or similar
Sun XACML engine
Identity Services
NOTE: Answers in table below are probably difficult to interpret since it depends on how any one installation is configured. For example, people have configured AuthN/AuthZ above the core Fedora repository and shut off the capabilities built in at the repository layer. Others have used the simple configurations we provide out of the box driven by authentication configuration at the web app level, plus Fedora-specific modules for XACML authorization). Others have configured Fedora with Shibboleth.
Managed Information | Consume? | Produce? | Broker/Convey? |
---|---|---|---|
Privileges |
| Yes |
|
Roles |
| Yes | Yes |
Groups |
|
| Yes |
Attributes | Yes | Yes | Yes |
Identification | Yes | Yes | Yes |
Defined Interfaces | Consume? | Produce? | Broker/Convey? |
Authentication |
|
| Yes |
Attributes |
|
| Yes |
Permissions |
| Yes |
|
Provisioning |
|
|
|
Authorization |
| Yes |
|
Subjects |
|
|
|
Other | Consume? | Produce? | Broker/Convey? |
XACML Policies | Yes |
| Yes |
Standards and Interfaces
Generally, authentication is pluggable via servlet filters. We provide sample templates and documentation for commons cases (e.g., LDAP).
We use XACML for authorization and policy enforcement. A set of default XACML policies ship with the repository. Then we have a set of sample policies that people can modify for their needs and deploy in the repository configuration.
Issues and Challenges
It's not easy for people to get things going out of the box. We are currently working with some members of the Fedora community to refactor and do authentication using JAAS.
More Information
Fedora Commons
Authentication documentation
XACML Documentation