Discussion:
[Dspace-tech] Shibboleth - user groups
Vlastimil Krejcir
2010-10-19 14:15:15 UTC
Permalink
Hi all,

I have set up Shibboleth authentication in DSpace and assingning groups=20
according to the "affiliation" (authentication.shib.role-header) does not=
=20
work.

I have found that getSpecialGroups() from=20
/org/dspace/authenticate/ShibAuthentication.java gets no shibboleth=20
headers. I guess that the trouble lies in Apache config. At first I have=20
tried mod_proxy, then mod_jk and the result is still the same. To get=20
getSpecialGroups() works properly (to sent shib headers) I have to change=
=20
Apache config slightly to use lazy session for the root (where I have my=20
DSpace installation):

<Location /shibboleth-login>
=09AuthType shibboleth
=09ShibRequireSession On
=09Require valid-user
=09ShibUseHeaders On
</Location>

<Location />
=09AuthType shibboleth
=09ShibRequireSession Off
=09ShibUseHeaders on
=09Require shibboleth
</Location>


So this is lazy session configuration. Using this, groups assigning works.=
=20
But I can't logout - means trying to reach /mydspace cause I'm logged in=20
via Shibboleth without asking what kind of authetication I want. If I was=
=20
logged in before, my last session is used, if I wasn't there is=20
something I name "empty user". It seems, DSpace tests "shibboleth" header=
=20
and then assumes somebody is logged in.

Removing lazy session config (for the root /) causes Shibboleth works fine=
=20
except for assigning groups.

Has anyone experienced the same troubles? Can you share your Apache=20
config?

I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
webui.session.invalidate =3D false.

Thanks.

Vlastik

---------------------------------------------------------------------------=
-
Vlastimil Krej=E8=ED=F8
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
Jabber: ***@jabber.org
---------------------------------------------------------------------------=
-
Pottinger, Hardy J.
2010-10-19 15:24:08 UTC
Permalink
Hi, we actually like the functionality of the Shibboleth "lazy session" it makes the site feel friendlier. Our university has not yet implemented any sort of logout cookie for Shibboleth, and don't plan to until it's supported (that's what the sysadmins tell me). However, our setup is a bit different from yours, here are the pertinent snippets from our various configs:

<!-- snip from /etc/tomcat5/server.xml tomcat server config -->
<Connector port="8009"
enableLookups="false" redirectPort="8080" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>


<!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment -->
<Context debug="0"
docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true" autoDeploy="true">
</Context>


### snips from our_production_vhost.conf

# turn on Shibboleth "Lazy Session"
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
</Location>

# reverse proxy for xmlui
<Location "/xmlui">
ProxyPass ajp://127.0.0.1:8009/xmlui
ProxyPassReverse ajp://127.0.0.1:8009/xmlui
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>

# start Shibboleth login at this location
<Location "/xmlui/shibboleth-login" >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>

For your setup, I think if you moved that "ShibUseHeaders On" down from the lazy session stanza to your shibboleth-login stanza, you'd end up with what you wanted. If memory serves, that's the magic "give me my headers, now, please" command.

Hope that helps!

--Hardy
-----Original Message-----
Sent: Tuesday, October 19, 2010 9:15 AM
Subject: [Dspace-tech] Shibboleth - user groups
Hi all,
I have set up Shibboleth authentication in DSpace and assingning groups
according to the "affiliation" (authentication.shib.role-header) does
not
work.
I have found that getSpecialGroups() from
/org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
headers. I guess that the trouble lies in Apache config. At first I have
tried mod_proxy, then mod_jk and the result is still the same. To get
getSpecialGroups() works properly (to sent shib headers) I have to
change
Apache config slightly to use lazy session for the root (where I have my
<Location /shibboleth-login>
AuthType shibboleth
ShibRequireSession On
Require valid-user
ShibUseHeaders On
</Location>
<Location />
AuthType shibboleth
ShibRequireSession Off
ShibUseHeaders on
Require shibboleth
</Location>
So this is lazy session configuration. Using this, groups assigning
works.
But I can't logout - means trying to reach /mydspace cause I'm logged in
via Shibboleth without asking what kind of authetication I want. If I
was
logged in before, my last session is used, if I wasn't there is
something I name "empty user". It seems, DSpace tests "shibboleth"
header
and then assumes somebody is logged in.
Removing lazy session config (for the root /) causes Shibboleth works
fine
except for assigning groups.
Has anyone experienced the same troubles? Can you share your Apache
config?
I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
webui.session.invalidate = false.
Thanks.
Vlastik
------------------------------------------------------------------------
----
Vlastimil Krejčíř
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
------------------------------------------------------------------------
----
------------------------------------------------------------------------
------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that
run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Vlastimil Krejcir
2010-10-19 19:51:01 UTC
Permalink
Hi,

thanks for sharing configs. However, it does not work. I have done=20
everything almost like you, assingning groups does not work. I have to set=
=20
ShibUseHeaders On to have this feature worked. But then I can not logout -=
=20
yes, it is not a tragedy, the tragedy is that I can not login as I have=20
already described.

Here is my Apache config:

<Location />
AuthType shibboleth
ShibRequireSession Off
Require shibboleth
</Location>

JkMount /* tomcat

JkUnMount /Shibboleth.sso/* tomcat
JkUnMount /shibboleth tomcat
JkUnMount /shibboleth-sp/* tomcat

<Location /shibboleth-login>
=09AuthType shibboleth
=09ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>


Can anyone else help? I suppose it could be a small bug, I would like to=20
do more testing and debugging, but it takes a lot of time, so if anyone=20
can help I would appreciate it.

Thanks.

Vlastik

---------------------------------------------------------------------------=
-
Vlastimil Krej=E8=ED=F8
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
Jabber: ***@jabber.org
---------------------------------------------------------------------------=
-
Hi, we actually like the functionality of the Shibboleth "lazy session" i=
t makes the site feel friendlier. Our university has not yet implemented an=
y sort of logout cookie for Shibboleth, and don't plan to until it's suppor=
ted (that's what the sysadmins tell me). However, our setup is a bit differ=
<!-- snip from /etc/tomcat5/server.xml tomcat server config -->
<Connector port=3D"8009"
enableLookups=3D"false" redirectPort=3D"8080" protocol=3D"AJP/1.3" addre=
ss=3D"127.0.0.1" tomcatAuthentication=3D"false"
connectionTimeout=3D"20000" disableUploadTimeout=3D"true" URIEncoding=3D=
"UTF-8"/>
<!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment=
-->
<Context debug=3D"0"
docBase=3D"/dspace/webapps/xmlui" reloadable=3D"true" unpackWARs=3D"tr=
ue" autoDeploy=3D"true">
</Context>
### snips from our_production_vhost.conf
# turn on Shibboleth "Lazy Session"
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
</Location>
# reverse proxy for xmlui
<Location "/xmlui">
ProxyPass ajp://127.0.0.1:8009/xmlui
ProxyPassReverse ajp://127.0.0.1:8009/xmlui
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
# start Shibboleth login at this location
<Location "/xmlui/shibboleth-login" >
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
For your setup, I think if you moved that "ShibUseHeaders On" down from t=
he lazy session stanza to your shibboleth-login stanza, you'd end up with w=
hat you wanted. If memory serves, that's the magic "give me my headers, now=
, please" command.
Hope that helps!
--Hardy
-----Original Message-----
Sent: Tuesday, October 19, 2010 9:15 AM
Subject: [Dspace-tech] Shibboleth - user groups
Hi all,
I have set up Shibboleth authentication in DSpace and assingning groups
according to the "affiliation" (authentication.shib.role-header) does
not
work.
I have found that getSpecialGroups() from
/org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
headers. I guess that the trouble lies in Apache config. At first I have
tried mod_proxy, then mod_jk and the result is still the same. To get
getSpecialGroups() works properly (to sent shib headers) I have to
change
Apache config slightly to use lazy session for the root (where I have my
<Location /shibboleth-login>
=09AuthType shibboleth
=09ShibRequireSession On
=09Require valid-user
=09ShibUseHeaders On
</Location>
<Location />
=09AuthType shibboleth
=09ShibRequireSession Off
=09ShibUseHeaders on
=09Require shibboleth
</Location>
So this is lazy session configuration. Using this, groups assigning
works.
But I can't logout - means trying to reach /mydspace cause I'm logged in
via Shibboleth without asking what kind of authetication I want. If I
was
logged in before, my last session is used, if I wasn't there is
something I name "empty user". It seems, DSpace tests "shibboleth"
header
and then assumes somebody is logged in.
Removing lazy session config (for the root /) causes Shibboleth works
fine
except for assigning groups.
Has anyone experienced the same troubles? Can you share your Apache
config?
I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
webui.session.invalidate =3D false.
Thanks.
Vlastik
------------------------------------------------------------------------
----
Vlastimil Krej=E8=ED=F8
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
------------------------------------------------------------------------
----
------------------------------------------------------------------------
------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that
run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-------------------------------------------------------------------------=
-----
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Jochen Lienhard
2010-10-20 06:50:37 UTC
Permalink
Hi,

we only have this shibboleth protection configuration:

<Location /shibboleth-login>
AuthType shibboleth
ShibRequireSession On
require valid-user
ShibUseHeaders On
</Location>

We do not protect the root-path.

We have not yet tested the authentication.shib.role-header.
Could it perhaps be a problem of scoped or not scoped affiliation?

Greetings

Jochen Lienhard
Post by Pottinger, Hardy J.
<!-- snip from /etc/tomcat5/server.xml tomcat server config -->
<Connector port="8009"
enableLookups="false" redirectPort="8080" protocol="AJP/1.3" address="127.0.0.1" tomcatAuthentication="false"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/>
<!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment -->
<Context debug="0"
docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true" autoDeploy="true">
</Context>
### snips from our_production_vhost.conf
# turn on Shibboleth "Lazy Session"
<Location />
AuthType shibboleth
ShibRequireSession Off
require shibboleth
</Location>
# reverse proxy for xmlui
<Location "/xmlui">
ProxyPass ajp://127.0.0.1:8009/xmlui
ProxyPassReverse ajp://127.0.0.1:8009/xmlui
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
# start Shibboleth login at this location
<Location "/xmlui/shibboleth-login">
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
For your setup, I think if you moved that "ShibUseHeaders On" down from the lazy session stanza to your shibboleth-login stanza, you'd end up with what you wanted. If memory serves, that's the magic "give me my headers, now, please" command.
Hope that helps!
--Hardy
-----Original Message-----
Sent: Tuesday, October 19, 2010 9:15 AM
Subject: [Dspace-tech] Shibboleth - user groups
Hi all,
I have set up Shibboleth authentication in DSpace and assingning groups
according to the "affiliation" (authentication.shib.role-header) does
not
work.
I have found that getSpecialGroups() from
/org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
headers. I guess that the trouble lies in Apache config. At first I have
tried mod_proxy, then mod_jk and the result is still the same. To get
getSpecialGroups() works properly (to sent shib headers) I have to
change
Apache config slightly to use lazy session for the root (where I have my
<Location /shibboleth-login>
AuthType shibboleth
ShibRequireSession On
Require valid-user
ShibUseHeaders On
</Location>
<Location />
AuthType shibboleth
ShibRequireSession Off
ShibUseHeaders on
Require shibboleth
</Location>
So this is lazy session configuration. Using this, groups assigning
works.
But I can't logout - means trying to reach /mydspace cause I'm logged in
via Shibboleth without asking what kind of authetication I want. If I
was
logged in before, my last session is used, if I wasn't there is
something I name "empty user". It seems, DSpace tests "shibboleth"
header
and then assumes somebody is logged in.
Removing lazy session config (for the root /) causes Shibboleth works
fine
except for assigning groups.
Has anyone experienced the same troubles? Can you share your Apache
config?
I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
webui.session.invalidate = false.
Thanks.
Vlastik
------------------------------------------------------------------------
----
Vlastimil Krejèíø
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
------------------------------------------------------------------------
----
------------------------------------------------------------------------
------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that
run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
--
Dr. rer. nat. Jochen Lienhard
Universitätsbibliothek UB 2
Dezernat EDV
Rempartstraße 10-16 | Postfach 1629
D-79098 Freiburg | D-79016 Freiburg

Telefon: +49 761 203-3908
E-Mail: ***@ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de
Bruc Liong
2011-01-10 08:56:25 UTC
Permalink
Sorry for late reply, Vlastik, have you resolved your issue?

There are many possibilities why getSpecialGroup could be missing the
headers, usually associated with apache config as well as your SP
config, some possible reasons:
1) switching between https to http
2) tomcat re-creating new sessions (such as controlled by
webui.session.invalidate)

Log files from the SP could help.

A work around, but only do this unless you're stuck and don't know
what cause of above, is to edit authenticate() method on
ShibAuthentication and insert the call to getSpecialGroups towards the
end before the return success.

What this does is to set the shib.specialgroups attribute into session
and therefore it will be useable at later stages of the processing.

Hope that helps,

Bruc
Post by Vlastimil Krejcir
Hi,
<Location /shibboleth-login>
  AuthType shibboleth
  ShibRequireSession On
  require valid-user
  ShibUseHeaders On
</Location>
We do not protect the root-path.
We have not yet tested the authentication.shib.role-header.
Could it perhaps be a problem of scoped or not scoped affiliation?
Greetings
Jochen Lienhard
Post by Pottinger, Hardy J.
Hi, we actually like the functionality of the Shibboleth "lazy session" it
makes the site feel friendlier. Our university has not yet implemented any
sort of logout cookie for Shibboleth, and don't plan to until it's supported
(that's what the sysadmins tell me). However, our setup is a bit different
<!-- snip from /etc/tomcat5/server.xml tomcat server config -->
<Connector port="8009"
  enableLookups="false" redirectPort="8080" protocol="AJP/1.3"
address="127.0.0.1" tomcatAuthentication="false"
  connectionTimeout="20000" disableUploadTimeout="true"
URIEncoding="UTF-8"/>
<!-- snip from /etc/tomcat5/Catalina/localhost/xmlui.xml context fragment -->
<Context debug="0"
    docBase="/dspace/webapps/xmlui" reloadable="true" unpackWARs="true"
autoDeploy="true">
</Context>
### snips from our_production_vhost.conf
# turn on Shibboleth "Lazy Session"
<Location />
        AuthType shibboleth
        ShibRequireSession Off
        require shibboleth
</Location>
# reverse proxy for xmlui
<Location "/xmlui">
  ProxyPass         ajp://127.0.0.1:8009/xmlui
  ProxyPassReverse  ajp://127.0.0.1:8009/xmlui
  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1
</Location>
# start Shibboleth login at this location
<Location "/xmlui/shibboleth-login">
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  require valid-user
</Location>
For your setup, I think if you moved that "ShibUseHeaders On" down from
the lazy session stanza to your shibboleth-login stanza, you'd end up with
what you wanted. If memory serves, that's the magic "give me my headers,
now, please" command.
Hope that helps!
--Hardy
-----Original Message-----
Sent: Tuesday, October 19, 2010 9:15 AM
Subject: [Dspace-tech] Shibboleth - user groups
   Hi all,
I have set up Shibboleth authentication in DSpace and assingning groups
according to the "affiliation" (authentication.shib.role-header) does
not
work.
I have found that getSpecialGroups() from
/org/dspace/authenticate/ShibAuthentication.java gets no shibboleth
headers. I guess that the trouble lies in Apache config. At first I have
tried mod_proxy, then mod_jk and the result is still the same. To get
getSpecialGroups() works properly (to sent shib headers) I have to
change
Apache config slightly to use lazy session for the root (where I have my
<Location /shibboleth-login>
       AuthType shibboleth
       ShibRequireSession On
       Require valid-user
       ShibUseHeaders On
</Location>
<Location />
       AuthType shibboleth
       ShibRequireSession Off
       ShibUseHeaders on
       Require shibboleth
</Location>
So this is lazy session configuration. Using this, groups assigning
works.
But I can't logout - means trying to reach /mydspace cause I'm logged in
via Shibboleth without asking what kind of authetication I want. If I
was
logged in before, my last session is used, if I wasn't there is
something I name "empty user". It seems, DSpace tests "shibboleth"
header
and then assumes somebody is logged in.
Removing lazy session config (for the root /) causes Shibboleth works
fine
except for assigning groups.
Has anyone experienced the same troubles? Can you share your Apache
config?
I have version 1.6.2, also last SP (2.3.1 I think). I have also set up
webui.session.invalidate = false.
Thanks.
Vlastik
------------------------------------------------------------------------
----
Vlastimil Krejčíř
Library and Information Centre, Institute of Computer Science
Masaryk University in Brno, Czech Republic
Email: krejcir (at) ics (dot) muni (dot) cz
Phone: +420 549 49 3872
ICQ: 163963217
------------------------------------------------------------------------
----
------------------------------------------------------------------------
------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
--
Dr. rer. nat. Jochen Lienhard
Universitätsbibliothek UB 2
Dezernat EDV
Rempartstraße 10-16 | Postfach 1629
D-79098 Freiburg    | D-79016 Freiburg
Telefon:  +49 761 203-3908
Internet: www.ub.uni-freiburg.de
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
DSpace-tech mailing list
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Continue reading on narkive:
Loading...