Sorry for late reply, Vlastik, have you resolved your issue? There are many possibilities why getSpecialGroup could be missing the headers, usually associated with apache config as well as your SP config, some possible reasons: 1) switching between https to http 2) tomcat re-creating new sessions (such as controlled by webui.session.invalidate)
Log files from the SP could help. A work around, but only do this unless you're stuck and don't know what cause of above, is to edit authenticate() method on ShibAuthentication and insert the call to getSpecialGroups towards the end before the return success. What this does is to set the shib.specialgroups attribute into session and therefore it will be useable at later stages of the processing. Hope that helps, Bruc 2010/10/20 Jochen Lienhard <[email protected]>: > Hi, > > we only have this shibboleth protection configuration: > > <Location /shibboleth-login> > AuthType shibboleth > ShibRequireSession On > require valid-user > ShibUseHeaders On > </Location> > > We do not protect the root-path. > > We have not yet tested the authentication.shib.role-header. > Could it perhaps be a problem of scoped or not scoped affiliation? > > Greetings > > Jochen Lienhard > > Pottinger, Hardy J. schrieb: >> >> Hi, we actually like the functionality of the Shibboleth "lazy session" it >> makes the site feel friendlier. Our university has not yet implemented any >> sort of logout cookie for Shibboleth, and don't plan to until it's supported >> (that's what the sysadmins tell me). However, our setup is a bit different >> from yours, here are the pertinent snippets from our various configs: >> >> <!-- snip from /etc/tomcat5/server.xml tomcat server config --> >> <Connector port="8009" >> enableLookups="false" redirectPort="8080" protocol="AJP/1.3" >> address="127.0.0.1" tomcatAuthentication="false" >> connectionTimeout="20000" disableUploadTimeout="true" >> URIEncoding="UTF-8"/> >> >> >> <!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment >> --> >> <Context debug="0" >> docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true" >> autoDeploy="true"> >> </Context> >> >> >> ### snips from our_production_vhost.conf >> >> # turn on Shibboleth "Lazy Session" >> <Location /> >> AuthType shibboleth >> ShibRequireSession Off >> require shibboleth >> </Location> >> >> # reverse proxy for xmlui >> <Location "/xmlui"> >> ProxyPass ajp://127.0.0.1:8009/xmlui >> ProxyPassReverse ajp://127.0.0.1:8009/xmlui >> SetEnv force-proxy-request-1.0 1 >> SetEnv proxy-nokeepalive 1 >> </Location> >> >> # start Shibboleth login at this location >> <Location "/xmlui/shibboleth-login"> >> AuthType shibboleth >> ShibRequireSession On >> ShibUseHeaders On >> require valid-user >> </Location> >> >> For your setup, I think if you moved that "ShibUseHeaders On" down from >> the lazy session stanza to your shibboleth-login stanza, you'd end up with >> what you wanted. If memory serves, that's the magic "give me my headers, >> now, please" command. >> >> Hope that helps! >> >> --Hardy >> >> >>> >>> -----Original Message----- >>> From: Vlastimil Krejcir [mailto:[email protected]] >>> Sent: Tuesday, October 19, 2010 9:15 AM >>> To: [email protected] >>> Subject: [Dspace-tech] Shibboleth - user groups >>> >>> >>> Hi all, >>> >>> I have set up Shibboleth authentication in DSpace and assingning groups >>> according to the "affiliation" (authentication.shib.role-header) does >>> not >>> work. >>> >>> I have found that getSpecialGroups() from >>> /org/dspace/authenticate/ShibAuthentication.java gets no shibboleth >>> headers. I guess that the trouble lies in Apache config. At first I have >>> tried mod_proxy, then mod_jk and the result is still the same. To get >>> getSpecialGroups() works properly (to sent shib headers) I have to >>> change >>> Apache config slightly to use lazy session for the root (where I have my >>> DSpace installation): >>> >>> <Location /shibboleth-login> >>> AuthType shibboleth >>> ShibRequireSession On >>> Require valid-user >>> ShibUseHeaders On >>> </Location> >>> >>> <Location /> >>> AuthType shibboleth >>> ShibRequireSession Off >>> ShibUseHeaders on >>> Require shibboleth >>> </Location> >>> >>> >>> So this is lazy session configuration. Using this, groups assigning >>> works. >>> But I can't logout - means trying to reach /mydspace cause I'm logged in >>> via Shibboleth without asking what kind of authetication I want. If I >>> was >>> logged in before, my last session is used, if I wasn't there is >>> something I name "empty user". It seems, DSpace tests "shibboleth" >>> header >>> and then assumes somebody is logged in. >>> >>> Removing lazy session config (for the root /) causes Shibboleth works >>> fine >>> except for assigning groups. >>> >>> Has anyone experienced the same troubles? Can you share your Apache >>> config? >>> >>> I have version 1.6.2, also last SP (2.3.1 I think). I have also set up >>> webui.session.invalidate = false. >>> >>> Thanks. >>> >>> Vlastik >>> >>> ------------------------------------------------------------------------ >>> ---- >>> Vlastimil Krejčíř >>> Library and Information Centre, Institute of Computer Science >>> Masaryk University in Brno, Czech Republic >>> Email: krejcir (at) ics (dot) muni (dot) cz >>> Phone: +420 549 49 3872 >>> ICQ: 163963217 >>> Jabber: [email protected] >>> ------------------------------------------------------------------------ >>> ---- >>> >>> ------------------------------------------------------------------------ >>> ------ >>> Download new Adobe(R) Flash(R) Builder(TM) 4 >>> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly >>> Flex(R) Builder(TM)) enable the development of rich applications that >>> run >>> across multiple browsers and platforms. Download your free trials today! >>> http://p.sf.net/sfu/adobe-dev2dev >>> _______________________________________________ >>> DSpace-tech mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/dspace-tech >>> >> >> >> ------------------------------------------------------------------------------ >> Download new Adobe(R) Flash(R) Builder(TM) 4 >> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly >> Flex(R) Builder(TM)) enable the development of rich applications that run >> across multiple browsers and platforms. Download your free trials today! >> http://p.sf.net/sfu/adobe-dev2dev >> _______________________________________________ >> DSpace-tech mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/dspace-tech >> >> > > > -- > Dr. rer. nat. Jochen Lienhard > Universitätsbibliothek UB 2 > Dezernat EDV > Rempartstraße 10-16 | Postfach 1629 > D-79098 Freiburg | D-79016 Freiburg > > Telefon: +49 761 203-3908 > E-Mail: [email protected] > Internet: www.ub.uni-freiburg.de > > > > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ > DSpace-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dspace-tech > > ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
