[ http://jira.dspace.org/jira/browse/DS-187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10270#action_10270 ]
Andrea Bollini commented on DS-187: ----------------------------------- [was: Bruc Liong added a comment - 28/Mar/09 03:32 AM] For the anonym...@example.org, yes that additional patch seems to be OK. Its usage, IMHO, may not be advisable since your users should be able to be identified one way or another (e.g. rather than grouping all users into one single account), but perhaps in your situation that was warranted... Another approach of supporting that would be to use the mod_header of apache to set the header value of the email when no such email is being released. For example something along the line of: SetEnvIf EMAIL ".+" EMAIL_IS_SET Header add EMAIL "anonym...@example.org" env=EMAIL_IS_SET Do you have special use-cases for locking down account? As in, why would a particular DSpace user being denied access? There are mechanisms in shibboleth to deny access prior it hits DSpace, that would be a way to do it in my opinion. This blacklisting can add interesting twist... Do you have the patch for scoped affiliation? Otherwise adding authentication.shib.role.remove-scoping = true (defaulted to false) can easily be done on the mapping code. Another item for future development on this patch is to integrate NetID, as an alternative to the email for the EPerson identifier. > Allow anonymous user and scoped role header in Shibboleth auth method > --------------------------------------------------------------------- > > Key: DS-187 > URL: http://jira.dspace.org/jira/browse/DS-187 > Project: DSpace 1.x > Issue Type: Improvement > Components: DSpace API > Affects Versions: 1.5.2 > Reporter: Andrea Bollini > > This issue has been created from the follow up of the DS-48 issue. > Stuart Hicks, Systems Engineer at OhioLINK, has been working with a slightly > older version of the patch than what was released today and found two things > that we need in our environment: > # Anonymous users - We can't guarantee that we'll get an eppn, email address, > or much of anything else from the schools except the mandatory affiliation > values. This is the issue that the attached patch addresses. Anonymous users > are defaulted to a preset account dictated by the email-default value in > dspace.cfg > # Scoping - The authentication.shib.role handlers need to support scoping as > we use eduPersonScopedAffiliation attributes rather than the unscoped variety. > Here's the text from his patch (based on an earlier version) to allow > anonymous, but Shibboleth authenticated users. Would it be possible to get > this change incorporated into the main codebase?: > diff -ur dspace-1_5-with-shib.orig/dspace/config/dspace.cfg > dspace-1_5-with-shib/dspace/config/dspace.cfg > --- dspace-1_5-with-shib.orig/dspace/config/dspace.cfg 2009-03-27 > 10:46:22.000000000 -0400 > +++ dspace-1_5-with-shib/dspace/config/dspace.cfg 2009-03-27 > 10:47:55.000000000 -0400 > @@ -324,6 +324,10 @@ > # this option below forces the software to acquire the email from Tomcat. > #authentication.shib.email-use-tomcat-remote-user = true > > +# this is the default email used for Shib-authenticated sessions that > +# do not include user-identifiable data (eppn, mail, etc.) > +#authentication.shib.email-default = anonym...@example.org > + > # should we allow new users to be registered automtically > # if the IdP provides sufficient info (and user not exists in DRC) > #authentication.shib.autoregister = true > diff -ur > dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java > > dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java > --- > dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java > 2009-03-27 10:46:18.000000000 -0400 > +++ > dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java > 2009-03-27 11:09:21.000000000 -0400 > @@ -59,6 +59,7 @@ > > boolean isUsingTomcatUser = > ConfigurationManager.getBooleanProperty("authentication.shib.email-use-tomcat-remote-user"); > String emailHeader = > ConfigurationManager.getProperty("authentication.shib.email-header"); > + String emailDefault = > ConfigurationManager.getProperty("authentication.shib.email-default"); > > String email = null; > > @@ -82,6 +83,11 @@ > EPerson p = context.getCurrentUser(); > if(p != null) email = p.getEmail(); > } > + > + //Check to see if they provided a default account > + if(email == null && emailDefault != null){ > + email = emailDefault; > + } > > if(email == null){ > log.error("No email is given, you're denied access by Shib, > please release email address"); -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.dspace.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Dspace-devel mailing list Dspace-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-devel