Sorry for late reply, YIva, have you resolved your issue?
Could you try to put on dspace.cfg and re-test again?
webui.session.invalidate = false
If not, try to see if the below email that I sent for similar case
applies to you. Obviously you will need to debug and find out why the
2nd request to SP is not getting the header, but nonetheless the
workaround could help you through in the meantime.
--------
There are many possibilities why getSpecialGroup could be missing the
headers, usually associated with apache config as well as your SP
config, some possible reasons:
1) switching between https to http
2) tomcat re-creating new sessions (such as controlled by
webui.session.invalidate)
Log files from the SP could help.
A work around, but only do this unless you're stuck and don't know
what cause of above, is to edit authenticate() method on
ShibAuthentication and insert the call to getSpecialGroups towards the
end before the return success.
What this does is to set the shib.specialgroups attribute into session
and therefore it will be useable at later stages of the processing.
Hope that helps,
Bruc
On Fri, Oct 22, 2010 at 6:37 AM, Ylva Gavel <ylva.ga...@ki.se> wrote:
> Hello All,
>
>
>
>
>
> I have a problem with Shibboleth role mapping in DSpace. Although mapping to
> the default role works as intended, DSpace seems unable to retrieve the
> roles released in the role header by the IDP. So basically everybody gets
> mapped to the default role.
>
>
>
> I added some extra logging to ShibAuthentication.getSpecialGroups to trace
> what is happening. Judging from the log, the role header is visible to
> ShibbolethServlet, but not to ShibAuthentication.getSpecialGroups. Actually,
> no Shibboleth headers seem to be available from within that context, so I
> ask myself whether Shibboleth role mapping could be expected to work. Is
> this a known problem?
>
>
>
> Some information about my setup follows below:
>
>
>
> =================================================================================
>
> Selected entries in dspace.cfg:
>
>
>
> authentication.shib.email-header = eppn
>
> authentication.shib.email-use-tomcat-remote-user = true
>
> authentication.shib.autoregister = true
>
> authentication.shib.role-header = affiliation
>
> authentication.shib.role-header.ignore-scope = true
>
> authentication.shib.default-roles = member
>
>
>
>
>
> =================================================================================
>
> Selected lines from ShibAuthentication.getSpecialGroups:
>
>
>
> String roleHeader = ConfigurationManager
>
> .getProperty("authentication.shib.role-header");
>
> boolean roleHeader_ignoreScope = ConfigurationManager
>
>
> .getBooleanProperty("authentication.shib.role-header.ignore-scope");
>
> if (roleHeader == null || roleHeader.trim().length() == 0)
>
> roleHeader = "Shib-EP-UnscopedAffiliation"; // fall back to
> default
>
>
>
> String emailHeader =
> ConfigurationManager.getProperty("authentication.shib.email-header");
>
> String epers = request.getHeader(emailHeader);
>
>
>
> log.info("Now mapping role header " + roleHeader);
>
>
>
> String affiliations = request.getHeader(roleHeader);
>
>
>
> // try again with all lower case...maybe has better luck
>
> if (affiliations == null)
>
> affiliations = request.getHeader(roleHeader.toLowerCase());
>
>
>
> // default role when fully authN but not releasing any roles?
>
> String defaultRoles = ConfigurationManager
>
> .getProperty("authentication.shib.default-roles");
>
> if (affiliations == null && defaultRoles != null)
>
> {
>
> log.warn("Could not resolve " + roleHeader + " for email " +
> epers + "! Resorting to default " + defaultRoles);
>
> affiliations = defaultRoles;
>
> }
>
>
>
>
>
> =================================================================================
>
> Select lines from dspace.log:
>
>
>
> 2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet
> @ header:affiliation=emplo...@ki.se;mem...@ki.se
>
> 2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet
> @ header:unscoped-affiliation=
>
> 2010-10-21 21:13:30,242 INFO org.dspace.app.webui.servlet.ShibbolethServlet
> @ header:primary-affiliation=
>
> 2010-10-21 21:13:30,276 INFO org.dspace.authenticate.ShibAuthentication @
> Now mapping role header affiliation
>
> 2010-10-21 21:13:30,276 WARN org.dspace.authenticate.ShibAuthentication @
> Could not resolve affiliation for email null! Resorting to default member
>
>
>
>
>
> Regards,
>
>
>
> Ylva Gavel
>
>
>
> Ylva Gavel, PhD
>
> Systemprogrammerare / Systems Programmer
>
> Karolinska Institutet
>
> Universitetsbiblioteket / University Library
>
> Fe 200 (Berzelius väg 7B)
>
> SE-171 77 Stockholm
>
> +46 8 524 84 125
>
> ylva.ga...@ki.se
>
> http://ki.se/ub och http://saga.kib.ki.se
>
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America contest
> Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>
>
------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web. Learn how to
best implement a security strategy that keeps consumers' information secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
