Hi, we only have this shibboleth protection configuration:
<Location /shibboleth-login> AuthType shibboleth ShibRequireSession On require valid-user ShibUseHeaders On </Location> We do not protect the root-path. We have not yet tested the authentication.shib.role-header. Could it perhaps be a problem of scoped or not scoped affiliation? Greetings Jochen Lienhard Pottinger, Hardy J. schrieb:
Hi, we actually like the functionality of the Shibboleth "lazy session" it makes the site feel friendlier. Our university has not yet implemented any sort of logout cookie for Shibboleth, and don't plan to until it's supported (that's what the sysadmins tell me). However, our setup is a bit different from yours, here are the pertinent snippets from our various configs: <!-- snip from /etc/tomcat5/server.xml tomcat server config --> <Connector port="8009" enableLookups="false" redirectPort="8080" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/> <!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment --> <Context debug="0" docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true" autoDeploy="true"> </Context> ### snips from our_production_vhost.conf # turn on Shibboleth "Lazy Session" <Location /> AuthType shibboleth ShibRequireSession Off require shibboleth </Location> # reverse proxy for xmlui <Location "/xmlui"> ProxyPass ajp://127.0.0.1:8009/xmlui ProxyPassReverse ajp://127.0.0.1:8009/xmlui SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </Location> # start Shibboleth login at this location <Location "/xmlui/shibboleth-login"> AuthType shibboleth ShibRequireSession On ShibUseHeaders On require valid-user </Location> For your setup, I think if you moved that "ShibUseHeaders On" down from the lazy session stanza to your shibboleth-login stanza, you'd end up with what you wanted. If memory serves, that's the magic "give me my headers, now, please" command. Hope that helps! --Hardy-----Original Message----- From: Vlastimil Krejcir [mailto:krej...@ics.muni.cz] Sent: Tuesday, October 19, 2010 9:15 AM To: DSpace-tech@lists.sourceforge.net Subject: [Dspace-tech] Shibboleth - user groups Hi all, I have set up Shibboleth authentication in DSpace and assingning groups according to the "affiliation" (authentication.shib.role-header) does not work. I have found that getSpecialGroups() from /org/dspace/authenticate/ShibAuthentication.java gets no shibboleth headers. I guess that the trouble lies in Apache config. At first I have tried mod_proxy, then mod_jk and the result is still the same. To get getSpecialGroups() works properly (to sent shib headers) I have to change Apache config slightly to use lazy session for the root (where I have my DSpace installation): <Location /shibboleth-login> AuthType shibboleth ShibRequireSession On Require valid-user ShibUseHeaders On </Location> <Location /> AuthType shibboleth ShibRequireSession Off ShibUseHeaders on Require shibboleth </Location> So this is lazy session configuration. Using this, groups assigning works. But I can't logout - means trying to reach /mydspace cause I'm logged in via Shibboleth without asking what kind of authetication I want. If I was logged in before, my last session is used, if I wasn't there is something I name "empty user". It seems, DSpace tests "shibboleth" header and then assumes somebody is logged in. Removing lazy session config (for the root /) causes Shibboleth works fine except for assigning groups. Has anyone experienced the same troubles? Can you share your Apache config? I have version 1.6.2, also last SP (2.3.1 I think). I have also set up webui.session.invalidate = false. Thanks. Vlastik ------------------------------------------------------------------------ ---- Vlastimil Krejčíř Library and Information Centre, Institute of Computer Science Masaryk University in Brno, Czech Republic Email: krejcir (at) ics (dot) muni (dot) cz Phone: +420 549 49 3872 ICQ: 163963217 Jabber: kre...@jabber.org ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ ------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
-- Dr. rer. nat. Jochen Lienhard Universitätsbibliothek UB 2 Dezernat EDV Rempartstraße 10-16 | Postfach 1629 D-79098 Freiburg | D-79016 Freiburg Telefon: +49 761 203-3908 E-Mail: lienh...@ub.uni-freiburg.de Internet: www.ub.uni-freiburg.de
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech