The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Created: October 26, 2007.
News: Cover StoriesPrevious News ItemNext News Item

Muradora GUI for Fedora Repository Uses SAML and XACML for Federated Identity.


The DRAMA (Digital Repository Authorization Middleware Architecture) development team at MELCOE, Macquarie University, Sydney, Australia has announced the release of Muradora Version 1.0, described as a turnkey GUI for the Fedora Repository supporting federated identity and flexible access control.

Fedora is a "general purpose repository system developed jointly by Cornell University Information Science and the University of Virginia Library. The Fedora Project is devoted to the goal of providing open-source repository software and related services to serve as the foundation for many types of information management systems. The Fedora software is available under the terms of the Educational Community License 1.0 (ECL)." Fedora was selected for Muradora because it is widely used, is recognized as scalable (supporting more than one million objects), and has an excellent digital object model.

The project goals are to support collaboration between researchers for access and search across institutional protected repositories, with an easy to use and maintain access control system requiring little or no intervention from system administrators.

Muradora "incorporates a suite of software modules to deal with the needs for federated identity and flexible authorisation for repositories. The four key modules of Muradora are:

  1. Shibboleth authentication module for Fedora to support federated identity/single-sign-on, e.g., Australian Access Federation
  2. New flexible authorisation framework for Fedora based on the XACML open standard
  3. Extended XACML engine supporting DB XML for fast efficient management/ enforcement of policies, and a web service interface for XACML requests and responses; the extended XACML engine can be used by any software that employs XACML but requires an efficient management system for its XACML policies
  4. Java-based Web GUI front-end for Fedora

"The Muradora web GUI, by utilizing the other three modules, aims to showcase the power of having federated identity and flexible authorisation with the Fedora repository. A key advantage of Muradora is that the core Fedora repository can now have consistent access control policies for multiple front-ends even if they are hosted across multiple machines or spanning institutional boundaries. This is not possible with the traditional approach of having the GUI handle authentication and authorisation internally."

The Muradora web GUI makes use of XForms, the W3C standard for handling form inputs and validations. It can handle complex metadata schemas, and this provides a modular and pluggable GUI framework.

Muradora supports self-submission for authors and publishing permissions for administrators, using Dublin Core, MODS and MARC metadata. Hierarchical groupings of objects (based on user-defined RDF ontologies) and dynamic groupings of objects (based on criteria matching their metadata information) are supported. Access control is provided at different levels of granularity: at the repository level, at user-defined grouping levels (including hierarchical inheritance), at the object level, and at the level of individual datastreams within objects. The easy-to-use access control policy editor generates the necessary XACML policies, so that no direct XML editing is required. Muradora supports version control for repository objects. Data objects can be of heterogeneous data types, e.g., documents, and audio and visual objects, with annotations. Repository search, including full-text search, is supported.

Muradora is freely available under Apache 2 open source license; the associated dependency software is also available as open source. The development team has made available an ISO image as a "ready to go system" via download of the Live DVD and Easy DVD installation method.

DRAMA is part of RAMP (Research Activityflow and Middleware Priorities), a DEST funded project from the Systemic Infrastructure Initiative. RAMP is developing a flexible authorisation module for repositories using the XACML open standard and implementing this as the core of a new, fully open source Muradora front-end for Fedora.

From the Muradora 1.0 Announcement

From the October 11, 2007 announcement: "Muradora Version 1.0: A Web-based Repository Supporting Federated Identity and Flexible Access Control":

The DRAMA (Digital Repository Authorization Middleware Architecture) development team has announced the release of Muradora Version 1.0, a "Turnkey GUI for Fedora Repository Supporting Federated Identity and Flexible Access Control."

Muradora is an easy to use repository application that supports federated identity (via Shibboleth authentication) and flexible authorization (using XACML). Muradora leverages the modularity, flexibility and scalability of the well-known Fedora repository.

Muradora's unique vision is one where Fedora forms the core back-end repository, while different front-end applications (such as portlets or standalone web interfaces) can all talk to the same instance of Fedora, and yet maintain a consistent approach to access control.

The DRAMA team is happy to announce the V1.0 release of Muradora. Its key features are:

  • "Out-of-the-box" or customized deployment options

  • Intuitive access control editor allows end-users to specify their own access control criteria without editing any XML.

  • Hierarchical enforcement of access control policies. Access control can be set at the collection level, object level or datastream level.

  • Metadata input and validation for any well-formed metadata schema using XForms (a W3C standard). New metadata schemas can be supported via XForms scripts (no Muradora code modification required).

  • Flexible and extensible architecture based on the well known Java Spring enterprise framework.

  • Multiple deployments of Muradora (each customized for their own specific purpose) can talk to the one instance of Fedora.

  • Freely available as open source software (Apache 2 license). All dependent software is also open source.

Muradora utilises the new Digital Repository Authorization Middleware Architecture (DRAMA Auth/Z Suite). It consists of the following components:

  • Extended XACML support with a native XML database (DB XML) for efficient storing and querying of XACML policies. There is also a new hierarchical policy combination algorithm to support hierarchical enforcement while still allowing for fine-grained access control. These extended XACML features can be used by any XACML-aware application, especially those requiring better management of their policies.

  • Pluggable and extensible authorization infrastructure for Fedora. This new architecture utilizes an interceptor pattern to remove embedded authorization logic inside Fedora and allows new authorization requirements to be added to the system without modifying any code inside Fedora.

  • Support for federated identity with Shibboleth. The actual Shibboleth authentication is done on the Fedora server itself. This is different to the common approach of having the web interface handle Shibboleth authentication which would prevent multiple web interfaces talking to the same Fedora instance. Again this module is pluggable and can be deployed on top of Fedora without any code modification. It can also be used in conjunction with existing Fedora authentication modules.

Muradora and DRAMA Auth/Z suite can be downloaded separately and installed together by following the deployment guide, available at:

However, due to configuration flexibility and the large number of components, this installation method should be attempted only by experienced Fedora administrators.

For other users, we recommend our Live DVD which integrates all necessary components for an "out-of-the-box" repository. The Live DVD can be used to try Muradora by booting the system from the DVD and running the pre-installed system directly from the DVD (no changes are made to the host computer's hard disk). Alternatively, the Live DVD can install Muradora on a server following an easy installation procedure that is based on Ubuntu Linux Distribution. The Muradora Live DVD can be downloaded from the web site.

Software download:

Acknowledgement: DRAMA (Digital Repository Authorization Middleware Architecture) is part of the RAMP project based at MELCOE, Macquarie University, Sydney, Australia. RAMP is funded by DEST under Backing Australia's Ability.

About Fedora

"Fedora open source software gives organizations a flexible service-oriented architecture for managing and delivering their digital content. At its core is a powerful digital object model that supports multiple views of each digital object and the relationships among digital objects. Digital objects can encapsulate locally-managed content or make reference to remote content. Dynamic views are possible by associating web services with objects. Digital objects exist within a repository architecture that supports a variety of management functions. All functions of Fedora, both at the object and repository level, are exposed as web services. These functions can be protected with fine-grained access control policies.

This unique combination of features makes Fedora an attractive solution in a variety of domains. Some examples of applications that are built upon Fedora include library collections management, multimedia authoring systems, archival repositories, institutional repositories, and digital libraries for education.

FOXML is a simple XML format that directly expresses the Fedora digital object model. As of Fedora 2.0, digital objects are stored internally in a Fedora repository in the FOXML format. In addition, FOXML can be used for ingesting and exporting objects to/from Fedora repositories...

Delivery of rich content is possible through a variety of technologies. But delivery is only one aspect of a suite of content management tasks. Content needs to be created, ingested, and stored. It needs to be aggregated and organized in collections. It must be described with metadata. It must be available for reuse and refactoring. And, finally, it must be preserved. Fedora is an open source digital repository system that meets these challenges. It does this by combining a number of key features:

  • Powerful digital object model: The digital objects, or units of information, in Fedora may combine any number and any variety of data streams. These data streams can be local to the repository or may reference content anywhere on the web. For example, one digital object may aggregate a scholarly document in multiple text formats, and another may combine the text, images, and video that are the basis of a rich web page.

  • Extensible metadata management: Because metadata and data are treated uniformly in the digital object model, any number and variety of metadata formats may be stored as data streams, alongside content, in a digital object.

  • Expressive inter-object relationships: Digital objects contain metadata that can express any type of relationships such as membership in collections, structural associations like articles in journals or pictures in albums, or taxonomic relationships. Relationship metadata is indexed and can be searched using semantic web query languages.

  • Web service integration: Fedora fits in with n-tier applications because of two types of web service integration: (1) Dynamic content delivery: Web services can be associated with any of the data streams in a digital object. As a result, a digital object can deliver dynamic content: the output of a web service processing data in the digital object. A metadata crosswalk service can be associated with a digital object that contains MODS metadata, making it possible to deliver other metadata formats such as Dublin Core. (1) Management and Access APIs: A Fedora repository runs as a service within a web server. All of its functionality and all features of its digital object model are accessible through well-defined REST and SOAP interfaces. Thus, a Fedora repository can be easily integrated into a variety of application environments with different user interfaces.

  • Version management: Fedora stores a history of all modifications to digital objects. The full history is accessible through the Fedora access API.

  • Configurable security architecture: Access to all aspects of the Fedora management and access API can be controlled by fine-grained XML-based access-control policies. These policies define sets of rules to permit or deny access by users and groups to repository operations.

  • OAI-PMH conformance: Fedora repositories are fully conformant with the interoperability framework defined by the Open Archives Initiative Protocol for Metadata Harvesting. The Fedora OAI-PMH service exploits Fedora's extensible metadata management, supporting harvest of any form of metadata delivered by digital objects.

  • Preservation worthy: Fedora repositories incorporate a number of features that facilitate the complex tasks associated with digital preservation. Internally all Fedora digital objects are represented in the file system as files in an open XML format. These XML files include data and metadata for the objects plus relationships to services and other objects. The entire structure of a Fedora repository can be rebuilt from the information in these files. In addition, Fedora repositories are compliant with the Reference Model for an Open Archival Information System (OAIS) due to their ability to ingest and disseminate Submission Information Packages (SIPS) and Dissemination Information Packages (DIPS) in standard container formats such as METS and MPEG-DIDL.

About the RAMP Project

"The Research Activityflow and Middleware Priorities (RAMP) project seeks to improve national research effectiveness by addressing two of the most challenging components of the DEST/JISC E-Framework for Education and Research and the DEST Accessibility Framework — the areas of people-oriented workflows for research processes, and open standards authorisation for protected repositories.

A key focus of the RAMP project is capturing eResearch activityflows so that they can be analysed, shared, re-used and adapted. This will lead to a national website providing a library of 'actionable' best practice activityflows for common research processes. This approach draws on the success of capturing and sharing 'Learning Designs' within e-learning, and applies it to the challenges of people-based workflow in eResearch. This work will be complemented by theoretical analysis of workflow standards and languages as applied to eResearch.

The second challenging component of the E-Framework that RAMP addresses is open standards authorisation (using XACML — Extensible Access Control Markup Language). There is an increasing need for flexible management of protected content as part of repositories such as Institutional Repositories, E-Reserves, etc, but most approaches to protected content rely on hardwired or proprietary authorisation mechanisms that are inefficient, costly, inflexible and promote system lock-in. The RAMP project will address the need for open standards authorisation through the creation of a generalised XACML authorisation module that could potentially be adopted by any repository system. This module will be implemented and tested initially using the Fedora repository, based on existing work on Fedora and XACML from MAMS and ARROW. Subsequent implementation with other repository systems will be explored.

The final stage of RAMP will unify the workflow and authorisation components through a 'fusion' project to explore interaction and integration between these two areas, and their overall combined impact on the E-Framework. This fusion project will lay the groundwork for potential future work in unified workflow and authorisation services, and their interaction with other E-Framework services..."

Related DEST Projects

MAMS (Meta Access Management System) Project: Macquarie University is the lead University on the Meta Access Management System (MAMS) Project. This project allows for the integration of multiple solutions to managing authentication, authorisation and identities, together with common services for digital rights, search services and metadata management. See the project documents for more information.

RUBRIC Project and the Toolkit: The RUBRIC project (Regional Universities Building Research Infrastructure Collaboratively) is sponsored by the Australian Commonwealth Department of Education, Science and Training (DEST). The RUBRIC Project is recognition that regional and smaller universities have a need to access, manage and disseminate research information in the same way as the large established research universities but often face significant challenges in developing appropriate and sustainable infrastructure. See the reference documents for more information.

Principal References

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: