Disseminators represent a pair of specialized digital objects known as Behavior Definition(bdef) objects and Behavior Mechanism(bmech) objects. The bdef object represents a high-level abstract description of the set of services provided by the disseminator. The bmech object provides the executable code in the form of an external web service that actually performs the set of services. The term "backend services" is used to describe the set of web services defined by all bmech objects in a given repository.
Backend Security is only in scope when using custom user-defined disseminators and when Datastream Mediation is enabled. When Datastream Mediation is enabled, the Fedora server does not expose datastream location URLs to the backend services. Instead, it generates a one-time callback URL containing a token that can be used by the backend service to obtain the contents of the desired datastream. The callback URLs are directed at one of two targets: 1) /fedora/getDS when the backend service is incapable of handling basic authentication and/or SSL , and 2) /fedora/getDSAuthenticated when the backend service can handle basic authentication and/or SSL support. The beSecurity.xml file contains information that is used to determine which target should be used for each backend service and also is used to generate backend security policies that are enforced at the time the callback is made by the backend service. These generated policies enforce IP restrictions and whether the connection should be over SSL or not.
The Backend Security feature was introduced in Fedora 2.1 as a means of enhancing security between the Fedora server and backend services. However, recent code refactoring related to authentication in Fedora 2.2 revealed some issues with the initial backend security design. These issues could not be adequately addressed in time for the Fedora 2.2 release so the Backend Security feature is disabled in Fedora 2.2 pending a future redesign to address these issues.
The Backend Security feature is disabled in the code by bypassing the section of code in DatastreamResolverServlet that enforces policies that are auto-generated from the beSecurity.xml file. Information in the beSecurty.xml file related to authentication and SSL support is still used by the code to determine the correct URL callback target (getDS or getDSAuthenticated) to use.
The intended purpose of Datastream Mediation and Backend Security was to prevent a hostile agent from being able to read datastream content that might otherwise be protected by the front-door API-A policies. In other words, to enhance security for the getDS and getDSAuthenticated operations which are callback targets that backend services use to get datastream content. In disabling the Backend Security policies, the risk of exposure has increased slightly but is mitigated by the fact that the backend callback URLs are generated by the Fedora repository server and they are one-time URLs containing tokens that do not reveal the datastream identity. So, a hostile agent would not be able to just launch URLs at the backend endpoints to try to obtain specific datastreams. The one kind of attack that could happen is a monkey-in-the middle attack where a hostile agent would intercept the call the Fedora server makes to a backend service (then pluck the callback URL out of the call to the service and play it back to the repository). However, backend callback connections are also still governed by a time limit (see datastreamMediationLimit configuration parameter in fedora.fcfg) which would limit the window available for such attempts.
Administrators wishing to further limit exposure can choose to handle backend security in other ways. For example, close down the getDSAuthenticated target by IP address and keep all backend services on the same machine as the Fedora repository.