Hi Peter, Thanks for the detailed reply. You were absolutely correct – once I switched to only using my custom CAS authentication it removed the ability to change the password, as desired.
Your suggestion also fixed the oddity of port 443 being added to the CAS login URL. The system now correctly uses the port-free URL and logins work as expected. So, two issues fixed with one suggestion! Thanks Peter. Cheers, Graham From: Peter Dietz [mailto:[email protected]] Sent: Thursday, October 29, 2015 8:29 PM To: Graham Faulkner Cc: [email protected] Subject: Re: [dspace-tech] CAS login - how to prohibit changing password Hi Graham, Don't let me scare you away by saying that "DSpace doesn't support CAS authentication", i.e. this JIRA ticket that provides CAS Authentication provider to DSpace has not been accepted into DSpace. https://jira.duraspace.org/browse/DS-1028, it looks like there have been 5 pull requests trying to bring that feature in... I'm not familiar with those contributions, but we would love DSpace to support all the relevant authentication stacks. (Sidenote, I've been working on Spring Security SAML, and would like to provide the ability for DSpace itself to authenticate directly with SAML-based auth mechanisms, i.e. shibboleth, and ADFS, without a mod-shibb) Check to see what your CAS code is doing. i.e. dspace-api/src/main/java/org/dspace/authenticate/CASAuthentication.java (its not a part of stock DSpace). method allowSetPassword. It should "return false;" if you don't want to allow them to set the password. For example, ShibAuthentication doesn't allow changing the password. https://github.com/DSpace/DSpace/blob/387ee1c1af4ce26656e8ca585224390a358bb760/dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java#L407-L410 It looks like XMLUI shouldn't show the form to change their password if that is that way. https://github.com/DSpace/DSpace/blob/387ee1c1af4ce26656e8ca585224390a358bb760/dspace-xmlui/src/main/java/org/dspace/app/xmlui/aspect/eperson/EditProfile.java#L401 However.... If you have multiple authentication methods enabled, such as CASAuthentication and PasswordAuthentication, if passwordauthentication allows the user to change their password, then it will show the user as being allowed to set their password. (But, each time they log in, CAS with have already approved them with their campus credentials). In this event, you'll probably want to edit xmlui / aspect/eperson / EditProfile.java, and just yank out all the allowSetPassword section. Or perhaps CSS to hide it? ________________ Peter Dietz Longsight www.longsight.com<http://www.longsight.com> [email protected]<mailto:[email protected]> p: 740-599-5005 x809 On Thu, Oct 29, 2015 at 8:12 PM, Graham Faulkner <[email protected]<mailto:[email protected]>> wrote: Hi all, On our newest staging server (DSpace 5.3 with Mirage 2) we have CAS authentication implemented (with a CAS login URL oddity that I just posted to the list). Once the CAS user logins successfully and goes to their Profile page, it shows the Security section with the form for changing the password. I am not sure why it is showing at all since in dspace/config/dspace.cfg I have set the following values: xmlui.user.registration = false xmlui.user.editmetadata = false Thankfully it does not in fact allow the user to change their password as passwords are handled by the CAS system. However, I would like the option removed from the interface so as to avoid confusion. As pointed out in a previous email, this newest staging server is using Apache as a reverse proxy alongside Tomcat. On our other development server that only uses Tomcat I have the above two lines set to false as well in dspace.cfg and it does not show the Security section, as expected. Any pointers in the right direction are greatly appreciated. Cheers, Graham ----------------------------------------- Graham Faulkner Web Developer / Programmer Digital Initiatives, Library University of Waterloo Waterloo, Ontario N2L 3G1 CANADA 519-888-4567 x32461<tel:519-888-4567%20x32461> [email protected]<mailto:[email protected]> -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To post to this group, send email to [email protected]<mailto:[email protected]>. Visit this group at http://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
