Hello, recently I have encountered following problem when trying to configure Shibboleth authentication in our DSpace instalation (https://dspace.cuni.cz). I would like to have our users authenticate via Shibboleth (using university account) or (in some cases) using local DSpace account and simple Password Authentication.
After successful Shibboleth login, I was trying to sign in again with my local DSpace account (after logging out of course and in different browser and using Anonymous Window). Accidentaly I forgot to type in my password, but DSpace "logged me in" (I was redirected to DSpace homepage), but instead of account name in the top-right corner of the page there was a blank space. When I clicked the empty button, it showed me links to "Profile" page and Logout. When I tried to access my account information, following error appeared: The 'characters' parameter is required for list items. Behavior is the same even when trying to log in with non-existent e-mail address (e-mail completely made up, no ePerson with this e-mail exists in DSpace). In addition, empty ePerson appears in DSpace list of ePersons, without any name or e-mail. I would be very thankful for any opinions on this and possibly a suggestion how to fix this. In case you are wondering how to replicate this issue, I've written down each step that lead to this issue. We are using DSpace 5.6, with XMLUI. With best regards, Jakub Charles Univesity, Prague ###################### How to replicate this issue: 1) Add ShibbolethAuthentication to authentication stack * ve [dspace]/config/modules/authentication.cfg - add org.dspace.authenticate.ShibAuthentication to plugin.sequence.org.dspace.authenticate.AuthenticationMethod property: plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication, org.dspace.authenticate.PasswordAuthentication, org.dspace.authenticate.IPAuthentication 2) authentication-shibboleth.cfg settings # Whether to use lazy sessions or active sessions. lazysession = true # The url to start a shibboleth session (only for lazy sessions) lazysession.loginurl = /Shibboleth.sso/Login # Force HTTPS when authenticating (only for lazy sessions) lazysession.secure = true ## ## Shibboleth Authentication Methods: ## # Authentication headers for Mail, NetID, and Tomcat's Remote User. # Supply all parameters possible. # netid-header = SHIB-NETID # email-header = SHIB-MAIL netid-header = epuid email-header = mail email-use-tomcat-remote-user = false # Should we allow new users to be registered automatically? autoregister = true sword.compatibility = false # Metadata Headers # Shibboleth-based headers for the first and last name attirbutes # firstname-header = SHIB-GIVENNAME # lastname-header = SHIB-SURNAME firstname-header = givenName lastname-header = sn # If the eperson metadata field is not found, should it be automatically created? eperson.metadata.autocreate = true; reconvert.attributes = true role.urn\:cuni\:role\:libstaff = shibAuthenticatedLibStaff role.urn\:cuni\:affiliation\:member\@lf2\.cuni\.cz = shibAuthenticatedLF2Member role.staff = Anonymous role.alum = Anonymous 3) Login -> Shibboleth authentication 4) Select Home Organization -> Charles University in Prague -> click Select 5) Login with university username and password -> SUCCESS 6) Logout 7) Open deffierent browser, create new Anonymous Window 7) Login -> Password Authentication 8) Login screen -> fill in local DSpace account username, without password (!!!) -> Sign In -> Result: -> DSpace redirects to Shibboleth authentication instead of displaying error message regarding empty password field -> Dspace recievs empty Shibboleth headers -> Dspace creates user with empty credentials -> Dspace authenticates user as this user using Shibboleth authenticaton -> from dspace.log: -> My opinion: PasswordAuthentication plugin is not called properly, instead user authentication is taken over by ShibbolethAuthentication plugin 2017-08-31 14:16:45,479 INFO org.dspace.authenticate.PasswordAuthentication @ anonymous:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:authenticate:attempting password auth of [email protected] 2017-08-31 14:16:45,483 INFO org.dspace.authenticate.PasswordAuthentication @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:authenticate:type=PasswordAuthentication 2017-08-31 14:16:45,484 INFO org.dspace.eperson.EPerson @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:update_eperson:eperson_id=1 2017-08-31 14:16:45,484 INFO org.dspace.app.xmlui.utils.AuthenticationUtil @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:login:type=explicit 2017-08-31 14:16:45,931 INFO org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:view_community_list: 2017-08-31 14:16:45,931 INFO org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for scope, null: 3 2017-08-31 14:16:58,388 INFO org.dspace.eperson.EPerson @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:delete_eperson:eperson_id=42 2017-08-31 14:17:03,726 INFO org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ [email protected]:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:view_community_list: 2017-08-31 14:17:03,726 INFO org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for scope, null: 3 2017-08-31 14:17:13,846 INFO org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ anonymous:session_id=E3E6377BF57F059DF97FFDEC65D602D8:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:view_community_list: 2017-08-31 14:17:13,847 INFO org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for scope, null: 3 2017-08-31 14:17:54,717 INFO org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ anonymous:session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:view_community_list: 2017-08-31 14:17:54,717 INFO org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for scope, null: 3 2017-08-31 14:17:58,027 DEBUG org.dspace.authenticate.ShibAuthentication @ Redirecting user to Shibboleth initiator: /Shibboleth.sso/Login?target=https%3A%2F%2Fgull.is.cuni.cz%2F%2Fshibboleth-login 2017-08-31 14:17:58,027 DEBUG org.dspace.authenticate.ShibAuthentication @ Redirecting user to Shibboleth initiator: /Shibboleth.sso/Login?target=https%3A%2F%2Fgull.is.cuni.cz%2F%2Fshibboleth-login 2017-08-31 14:18:04,941 INFO org.dspace.authenticate.PasswordAuthentication @ anonymous:session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:authenticate:attempting password auth of [email protected] 2017-08-31 14:18:04,945 DEBUG org.dspace.authenticate.ShibAuthentication @ Starting Shibboleth Authentication 2017-08-31 14:18:04,946 DEBUG org.dspace.authenticate.ShibAuthentication @ Received the following headers: host='gull.is.cuni.cz' user-agent='Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0' accept='text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' accept-language='en-US,en;q=0.5' accept-encoding='gzip, deflate, br' referer='https://gull.is.cuni.cz/password-login' content-type='application/x-www-form-urlencoded' content-length='61' cookie='JSESSIONID=D15C37AB187655798AA7DE91227FF73A' DNT='1' connection='keep-alive' Upgrade-Insecure-Requests='1' Shib-Cookie-Name='' Shib-Session-ID='' Shib-Session-Index='' Shib-Identity-Provider='' Shib-Authentication-Method='' Shib-Authentication-Instant='' Shib-AuthnContext-Class='' Shib-AuthnContext-Decl='' Shib-Assertion-Count='' Shib-Handler='https://gull.is.cuni.cz/Shibboleth.sso' eppn='' affiliation='' unscoped-affiliation='' entitlement='' targeted-id='' persistent-id='' primary-affiliation='' nickname='' primary-orgunit-dn='' orgunit-dn='' org-dn='' assurance='' member='' eduCourseOffering='' eduCourseMember='' cn='' sn='' givenName='' mail='' telephoneNumber='' title='' initials='' description='' carLicense='' departmentNumber='' employeeNumber='' employeeType='' preferredLanguage='' displayName='' manager='' seeAlso='' facsimileTelephoneNumber='' street='' postOfficeBox='' postalCode='' st='' l='' o='' ou='' businessCategory='' physicalDeliveryOfficeName='' authMail='' epuid='' mefaperson='' commonNameASCII='' authenticationlevel='' schacHomeOrganization='' Shib-CUNIPersonalID='' Shib-Application-ID='' REMOTE_USER='' 2017-08-31 14:18:04,947 INFO org.dspace.authenticate.ShibAuthentication @ Unable to identify EPerson based upon Shibboleth netid header: 'epuid'=''. 2017-08-31 14:18:04,947 INFO org.dspace.authenticate.ShibAuthentication @ Unable to identify EPerson based upon Shibboleth email header: 'mail'=''. 2017-08-31 14:18:04,948 INFO org.dspace.eperson.EPerson @ anonymous:session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:create_eperson:eperson_id=43 2017-08-31 14:18:04,949 INFO org.dspace.eperson.EPerson @ anonymous:session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:update_eperson:eperson_id=43 2017-08-31 14:18:04,956 INFO org.dspace.authenticate.ShibAuthentication @ Auto registered new eperson using Shibboleth-based attributes: NetId: '' Email: '' First Name: '' Last Name: '' 2017-08-31 14:18:04,957 DEBUG org.dspace.authenticate.ShibAuthentication @ Updated the eperson's minimal metadata: Email Header: 'mail' = '' First Name Header: 'givenName' = '' Last Name Header: 'givenName' = '' 2017-08-31 14:18:04,957 INFO org.dspace.eperson.EPerson @ anonymous:session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:update_eperson:eperson_id=43 2017-08-31 14:18:04,959 INFO org.dspace.authenticate.ShibAuthentication @ has been authenticated via shibboleth. 2017-08-31 14:18:04,960 INFO org.dspace.eperson.EPerson @ :session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:update_eperson:eperson_id=43 2017-08-31 14:18:04,960 INFO org.dspace.app.xmlui.utils.AuthenticationUtil @ :session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:login:type=explicit 2017-08-31 14:18:04,960 DEBUG org.dspace.authenticate.ShibAuthentication @ Starting to determine special groups 2017-08-31 14:18:04,960 DEBUG org.dspace.authenticate.ShibAuthentication @ Found Shibboleth role header: 'entitlement' = '[]' 2017-08-31 14:18:04,961 INFO org.dspace.authenticate.ShibAuthentication @ Added current EPerson to special groups: [] 2017-08-31 14:18:05,037 DEBUG org.dspace.authenticate.ShibAuthentication @ Returning cached special groups. 2017-08-31 14:18:05,038 DEBUG org.dspace.authenticate.ShibAuthentication @ Returning cached special groups. 2017-08-31 14:18:05,165 INFO org.dspace.app.xmlui.aspect.artifactbrowser.CommunityBrowser @ :session_id=D15C37AB187655798AA7DE91227FF73A:ip_addr=2001:718:1e03:5128:9e9e:1a6d:f958:dce:view_community_list: 2017-08-31 14:18:05,166 INFO org.dspace.app.xmlui.aspect.discovery.SidebarFacetsTransformer @ facets for scope, null: 3 -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
