Installing RAMP Authorization Framework

Our authorization framework aims to replace the current Fedora XACML authorization. Currently, the two ways that one can access Fedora are via web-services (API-A and API-M) and the REST interface. Our authorization framework works by intercepting requests and responses to both of these interfaces, build an XACML requests, forward it to our XACML PDP to obtain an XACML decision, and then enforce the decision.

For the REST interface, the requests and responses are intercepted via the use of a servlet filter while for the web services interface, we developed AXIS handlers for this job. Both use a common class (ContexHandler) to build the XACML request and forward it to the PDP. To deploy the servlet filter, we simply modify the web.xml for Fedora webapp, and for the AXIS handlers, we modify the Fedora's wsdd for web services (server-config.wsdd). Both of these are handle automatically by our ant script.

Prerequisites

  • You have deployed Tomcat (> 5.x.x) and set TOMCAT_HOME and CATALINA_HOME environments to your tomcat directory.
  • You have successfully installed Fedora 2.2 server (see Installing Fedora).
  • Ant > 1.6
  • Sun JDK > 1.5.x
  • melcoe-pep Download

Instructions

  1. Download the latest MELCOE-PEP code, unzip and run: 
    $ant install -Dwebapp.location=$CATALINA_HOME/webapps/fedora
  2. Note: Replace the above command to point to where your fedora webap resides.
  3. Open your browser URL and see if you can access the REST search interface (http://<your host:8080/fedora/search) as an "public" user and as the "fedoraAdmin" user. If you log in as a user with public role, you should be able to perform the search operation or but not see any results, but as the fedoraAdmin, you should be able search and see everything.
  4. Edit the $CATALINA_HOME/webapps/fedora/WEB-INF/classes/config-melcoe-pep.xml file and look for this section: 
    <pdp-client class="melcoe.fedora.pep.WebServicesPDPClient">
    <option name="ServiceEndpoint">http://localhost:8080/axis2/services/MelcoePDP</option>
</pdp-client>
    Ensure that the ServiceEndpoint correctly points to where you installed the MelcoePDP.
  5. You need to configure the web.xml file again and ensure that your LDAP settings are correct as they would have been overwritten by the install process (a copy of the original web.xml file is backed up as web.xml.backup.original). You can view the LDAP instructions here.
  6. Edit the $CATALINA_HOME/webapps/fedora/WEB-INF/classes/melcoe-pep-log4j.properties file and select the locations for the log4j.appender.statistics.File. If you do not set this, the statistics file will be created in directories where the tomcat instance is started.

Configuring the MELCOE-PEP

The configuration files for the MELCOE-PEP reside in the $CATALINA_HOME/webapps/fedora/WEB-INF/classes. By default the only thing you might need to configure is the location of the PDP that is installed.

  • config-melcoe-pep.xml: this file controls various components of the PEP. These components are all pluggable so if one does not suit, you can write another one and plug it in.
    • What to use for a PDP
    • Where to locate the PDP
    • Cache settings for XACML Requests/Responses
    • What to use for resolving object relationships for establishing collection hierarchies
    • Which evaluation engine to use
    • All the filters and handlers for the REST and Web Services API's respectively. Authorisation for every operation via both REST and Web Services can be enabled or disabled. If you need different functionality for a component you can write one and plug it in.
  • config-melcoe-pep-mapping.xml: this file controls the Fedora actions emitted from the PEP. Fedora contains a vocabulary of action URIs. These might not be suitable to the way your policies are written or the way you want to write your policies as there are many actions involved. As a way to simplify things the PEP can be configured to transform these Fedora actions into actions of your own choosing. For example, "urn:fedora:names:fedora:2.1:action:id-getDatastream" can be mapped to "read" or "urn:fedora:names:fedora:2.1:action:id-modifyDatastreamByReference" to "update" thereby simplifying the actions you have to deal with in policies.

Back to Deployment Guides