[
http://jira.dspace.org/jira/browse/DS-309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Bollini updated DS-309:
------------------------------
Attachment: ds-309-shib-default-roles.patch
This simple patch solves the problem but a general revision of the
authentication system is need...
many authentication methods need to know if they are the method that has
loggedin the user (X509, Shib, LDAP, Password). Most of them use specific
properties of the eperson object to make assumption (password field, etc..) but
this is not appropriate because the "core" is not aware of how this data are
used by a specific plugin...
others, shib and X509, store data in the session, also in this case there
problems:
1) there is code duplication that could be avoided
2) the plugin has not opportunities to cleanup the data after the logoff so, if
the web session (browser) is keep open and a new user login with a different
auth method, the data stored from the first method will remain present and can
mislead
I think that this is the best result that we can archive before the 1.6
release, if nobody raises objections in the next few days I will commit the
patch and mark this issue as resolved.
> Shiboleth default roles are applied also to anonymous user and user logged-in
> with other methods
> ------------------------------------------------------------------------------------------------
>
> Key: DS-309
> URL: http://jira.dspace.org/jira/browse/DS-309
> Project: DSpace 1.x
> Issue Type: Bug
> Components: DSpace API
> Affects Versions: 1.5.2
> Reporter: Andrea Bollini
> Assignee: Andrea Bollini
> Fix For: 1.6.0
>
> Attachments: ds-309-shib-default-roles.patch
>
>
> The getSpecialGroup method doesn't check if there is any user logged in and
> go ahead to process any default roles or affiliation/group mapping included
> in the configuration this allow anonymous user to take advantage of the
> default shib roles.
> In addition if wehave more then one authentication method configured, as for
> example the x509 method, we are not able to know from which method an user
> come from, this mean that also adding a check in the getSpecialGroup to see
> if an user is logged in we will continue to give default shib roles also to
> user that are logged in from another authentication method.
> I'm going to fix this bug storing in the user session the auth method used
> for the login. A patch will be posted soon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
