At Virginia we have developed a servlet filter that permits of passing HTTP headers into the XACML context. We use this with mod_shib in front of repositories to integrate Shibboleth. We're currently cleaning up that code for submission to Fedora for some post-3.5 release. If you're interested in helping with that, we'd be happy for the help. The real work is in cleaning up Fedora's older servlet filter chain design, which also needs be done. We went in this direction because (after considerable searching and discussion with the committers) we felt that it would be a quicker and surer route than trying to integrate Shib and JAAS, and that it would meet a larger need in the Fedora community-- a route by which to integrate with upstream authn/authz.
That might do for part of your Shibboleth needs. We are a Blacklight site, so we will be seeing to the integration you mention locally, but to be honest, we haven't put a lot of thought into that question yet. The basic assumption seems to be that we will index any rights metadata available in the repository and that we will filter against that in the Blacklight layer. --- A. Soroka Online Library Environment the University of Virginia Library On Mar 18, 2011, at 10:34 AM, Swithun Crowe wrote: > Hello > > At the University of St Andrews, we are still trying to find a suitable > front-end for Fedora, and even toying with the idea that we may not need > one. Our requirements are: > > authentication (strong preference for Shibboleth) > > authorisation to view certain collections > > searching which follows authorisation rules > > We are only interested in read-only access, so we don't need any extra > functionality for ingesting or editing objects or metadata once they are > in Fedora. > > Someone asked a question about Fedora and Shibboleth a bit over a year > ago, and were directed to some work being done on JAAS and Shibboleth. Has > there been any more news or success with this? Item 4.3 on this page: > > https://wiki.duraspace.org/display/FCR30/XACML+Policy+Enforcement > > looks promising, but the link is broken. > > Jumping into FeSL AuthZ and XACML is a bit daunting. How easy is it to > update the policies, say, when we create a new collection that requires a > new role to view objects in the collection? What success have people had > with storing policies as datastreams with their objects? > > Has anyone got their own in-search filtering working well? I.e. passing in > user attributes (roles) from Shibboleth to filter the collections that > could be searched. > > Fedora has most of the functionality that we are looking for, without the > need for a special front-end. Many of the front-ends are no longer being > developed. Blacklight and Islandora have nice interfaces, but it isn't > clear if they can easily meet our authN/Z requirements. Could they work on > top of Fedora's authN/Z? > > I would be interested in anyone's success stories. > > Thanks. > > Swithun. > > -- > The University of St Andrews is a charity registered in Scotland: SC013532 > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
