Hi, we actually like the functionality of the Shibboleth "lazy session" it
makes the site feel friendlier. Our university has not yet implemented any sort
of logout cookie for Shibboleth, and don't plan to until it's supported (that's
what the sysadmins tell me). However, our setup is a bit different from yours,
here are the pertinent snippets from our various configs:
<!-- snip from /etc/tomcat5/server.xml tomcat server config -->
<Connector port="8009"
enableLookups="false" redirectPort="8080" protocol="AJP/1.3"
address="127.0.0.1" tomcatAuthentication="false"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment -->
<Context debug="0"
docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true"
autoDeploy="true">
</Context>
### snips from our_production_vhost.conf
# turn on Shibboleth "Lazy Session"
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
</Location>
# reverse proxy for xmlui
<Location "/xmlui">
ProxyPass ajp://127.0.0.1:8009/xmlui
ProxyPassReverse ajp://127.0.0.1:8009/xmlui
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
# start Shibboleth login at this location
<Location "/xmlui/shibboleth-login" >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
For your setup, I think if you moved that "ShibUseHeaders On" down from the
lazy session stanza to your shibboleth-login stanza, you'd end up with what you
wanted. If memory serves, that's the magic "give me my headers, now, please"
command.
Hope that helps!
--Hardy
> -----Original Message-----
> From: Vlastimil Krejcir [mailto:[email protected]]
> Sent: Tuesday, October 19, 2010 9:15 AM
> To: [email protected]
> Subject: [Dspace-tech] Shibboleth - user groups
>
>
> Hi all,
>
> I have set up Shibboleth authentication in DSpace and assingning groups
> according to the "affiliation" (authentication.shib.role-header) does
> not
> work.
>
> I have found that getSpecialGroups() from
> /org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
> headers. I guess that the trouble lies in Apache config. At first I have
> tried mod_proxy, then mod_jk and the result is still the same. To get
> getSpecialGroups() works properly (to sent shib headers) I have to
> change
> Apache config slightly to use lazy session for the root (where I have my
> DSpace installation):
>
> <Location /shibboleth-login>
> AuthType shibboleth
> ShibRequireSession On
> Require valid-user
> ShibUseHeaders On
> </Location>
>
> <Location />
> AuthType shibboleth
> ShibRequireSession Off
> ShibUseHeaders on
> Require shibboleth
> </Location>
>
>
> So this is lazy session configuration. Using this, groups assigning
> works.
> But I can't logout - means trying to reach /mydspace cause I'm logged in
> via Shibboleth without asking what kind of authetication I want. If I
> was
> logged in before, my last session is used, if I wasn't there is
> something I name "empty user". It seems, DSpace tests "shibboleth"
> header
> and then assumes somebody is logged in.
>
> Removing lazy session config (for the root /) causes Shibboleth works
> fine
> except for assigning groups.
>
> Has anyone experienced the same troubles? Can you share your Apache
> config?
>
> I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
> webui.session.invalidate = false.
>
> Thanks.
>
> Vlastik
>
> ------------------------------------------------------------------------
> ----
> Vlastimil Krejčíř
> Library and Information Centre, Institute of Computer Science
> Masaryk University in Brno, Czech Republic
> Email: krejcir (at) ics (dot) muni (dot) cz
> Phone: +420 549 49 3872
> ICQ: 163963217
> Jabber: [email protected]
> ------------------------------------------------------------------------
> ----
>
> ------------------------------------------------------------------------
> ------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that
> run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> DSpace-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
