[ 
http://jira.dspace.org/jira/browse/DS-187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10275#action_10275
 ] 

Andrea Bollini commented on DS-187:
-----------------------------------

[was: Mark Diggory added a comment - 28/Mar/09 07:23 PM]

There are two things going on here that I think we should consider.

A.) Non-Implicit Authentication as a Shibboleth User when accessing a protected 
resource (much like Password Authentication) requires reentry through 
AuthenticationAction or ShibServlet to correctly process the shib user into an 
EPerson

B.) Implicit Resolution of Special Groups when a User has Shibboleth headers 
present in the request (or Shib groups are in users session) is much like 
IPAddressAuthenticator and happens on every request, this can be annoymous.

My repsonse about about AuthenitcateAction is incorrect, in XMLUI 
ShibbolethAction is the controller for verifying that the shibboleth return 
trip is porcessed correctly. This igves us a chance to manage the lack of an 
EPerson differently in this class.

At this point ShibbolethAction, expecting this to be a "non-implicit" 
authentication process forces (A) and requires a Context/EPerson as a result.

We've been having authenitcation/authorization discussion in the 2.0 group as 
well. There are actually 3 call processes for Authenication/Authorization

1.) Authenticate User Credentials "AuthenticationManager.authenticate"

2.) Get User Groups "AuthenitcationManaer.getSpecialGroups"

3.) Authorize User+Groups "AuthorizationManager.authorize"

AuthenticationMethods mush the first 2 together and make it difficult to 
operate them separately. (2) and (3) are used in IP Authenitcation while (1) 
returns BAD_ARGS.

We might try altering ShibbolethAction to not require an EPerson if the 
configuration allows for annonymous shibboleth authentication, this might be 
all thats required to make this work with the XMLUI as well.

> Allow anonymous user and scoped role header in Shibboleth auth method
> ---------------------------------------------------------------------
>
>                 Key: DS-187
>                 URL: http://jira.dspace.org/jira/browse/DS-187
>             Project: DSpace 1.x
>          Issue Type: Improvement
>          Components: DSpace API
>    Affects Versions: 1.5.2
>            Reporter: Andrea Bollini
>
> This issue has been created from the follow up of the DS-48 issue.
> Stuart Hicks, Systems Engineer at OhioLINK, has been working with a slightly 
> older version of the patch than what was released today and found two things 
> that we need in our environment:
> # Anonymous users - We can't guarantee that we'll get an eppn, email address, 
> or much of anything else from the schools except the mandatory affiliation 
> values. This is the issue that the attached patch addresses. Anonymous users 
> are defaulted to a preset account dictated by the email-default value in 
> dspace.cfg
> # Scoping - The authentication.shib.role handlers need to support scoping as 
> we use eduPersonScopedAffiliation attributes rather than the unscoped variety.
> Here's the text from his patch (based on an earlier version) to allow 
> anonymous, but Shibboleth authenticated users. Would it be possible to get 
> this change incorporated into the main codebase?:
> diff -ur dspace-1_5-with-shib.orig/dspace/config/dspace.cfg 
> dspace-1_5-with-shib/dspace/config/dspace.cfg
> --- dspace-1_5-with-shib.orig/dspace/config/dspace.cfg 2009-03-27 
> 10:46:22.000000000 -0400
> +++ dspace-1_5-with-shib/dspace/config/dspace.cfg 2009-03-27 
> 10:47:55.000000000 -0400
> @@ -324,6 +324,10 @@
>  # this option below forces the software to acquire the email from Tomcat.
>  #authentication.shib.email-use-tomcat-remote-user = true
>  
> +# this is the default email used for Shib-authenticated sessions that
> +# do not include user-identifiable data (eppn, mail, etc.)
> +#authentication.shib.email-default = anonym...@example.org
> +
>  # should we allow new users to be registered automtically
>  # if the IdP provides sufficient info (and user not exists in DRC)
>  #authentication.shib.autoregister = true
> diff -ur 
> dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  
> dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
> --- 
> dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  2009-03-27 10:46:18.000000000 -0400
> +++ 
> dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  2009-03-27 11:09:21.000000000 -0400
> @@ -59,6 +59,7 @@
>          
>          boolean isUsingTomcatUser = 
> ConfigurationManager.getBooleanProperty("authentication.shib.email-use-tomcat-remote-user");
>          String emailHeader = 
> ConfigurationManager.getProperty("authentication.shib.email-header");
> + String emailDefault = 
> ConfigurationManager.getProperty("authentication.shib.email-default");
>          
>          String email = null;
>          
> @@ -82,6 +83,11 @@
>              EPerson p = context.getCurrentUser();
>              if(p != null) email = p.getEmail();
>          }
> +
> + //Check to see if they provided a default account
> + if(email == null && emailDefault != null){
> + email = emailDefault;
> + }
>          
>          if(email == null){
>              log.error("No email is given, you're denied access by Shib, 
> please release email address");

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to