[Dspace-devel] [DSpace-JIRA] Commented: (DS-187) Allow anonymous user and scoped role header in Shibboleth auth method

Mon, 13 Apr 2009 12:40:21 -0700 

    [ 
http://jira.dspace.org/jira/browse/DS-187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10276#action_10276
 ] 

Andrea Bollini commented on DS-187:
-----------------------------------

[was: Kevin Lee added a comment - 30/Mar/09 04:04 AM]

This is the patch to fix the issue about the scoped role header.

Problem: If your SP only provide scoped role header, like scopedAffiliation. 
This patch can unscope it for you to make it ready for shib role mapping.

How to use it: patch this against your source, then
in dspace/config/dspace.cfg, there is an additional option

authentication.shib.role-header.ignore-scope=false

all you need to do is change the value to true. 

> Allow anonymous user and scoped role header in Shibboleth auth method
> ---------------------------------------------------------------------
>
>                 Key: DS-187
>                 URL: http://jira.dspace.org/jira/browse/DS-187
>             Project: DSpace 1.x
>          Issue Type: Improvement
>          Components: DSpace API
>    Affects Versions: 1.5.2
>            Reporter: Andrea Bollini
>
> This issue has been created from the follow up of the DS-48 issue.
> Stuart Hicks, Systems Engineer at OhioLINK, has been working with a slightly 
> older version of the patch than what was released today and found two things 
> that we need in our environment:
> # Anonymous users - We can't guarantee that we'll get an eppn, email address, 
> or much of anything else from the schools except the mandatory affiliation 
> values. This is the issue that the attached patch addresses. Anonymous users 
> are defaulted to a preset account dictated by the email-default value in 
> dspace.cfg
> # Scoping - The authentication.shib.role handlers need to support scoping as 
> we use eduPersonScopedAffiliation attributes rather than the unscoped variety.
> Here's the text from his patch (based on an earlier version) to allow 
> anonymous, but Shibboleth authenticated users. Would it be possible to get 
> this change incorporated into the main codebase?:
> diff -ur dspace-1_5-with-shib.orig/dspace/config/dspace.cfg 
> dspace-1_5-with-shib/dspace/config/dspace.cfg
> --- dspace-1_5-with-shib.orig/dspace/config/dspace.cfg 2009-03-27 
> 10:46:22.000000000 -0400
> +++ dspace-1_5-with-shib/dspace/config/dspace.cfg 2009-03-27 
> 10:47:55.000000000 -0400
> @@ -324,6 +324,10 @@
>  # this option below forces the software to acquire the email from Tomcat.
>  #authentication.shib.email-use-tomcat-remote-user = true
>  
> +# this is the default email used for Shib-authenticated sessions that
> +# do not include user-identifiable data (eppn, mail, etc.)
> +#authentication.shib.email-default = anonym...@example.org
> +
>  # should we allow new users to be registered automtically
>  # if the IdP provides sufficient info (and user not exists in DRC)
>  #authentication.shib.autoregister = true
> diff -ur 
> dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  
> dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
> --- 
> dspace-1_5-with-shib.orig/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  2009-03-27 10:46:18.000000000 -0400
> +++ 
> dspace-1_5-with-shib/dspace-api/src/main/java/au/edu/mq/melcoe/mams/dspace/authenticate/ShibAuthentication.java
>  2009-03-27 11:09:21.000000000 -0400
> @@ -59,6 +59,7 @@
>          
>          boolean isUsingTomcatUser = 
> ConfigurationManager.getBooleanProperty("authentication.shib.email-use-tomcat-remote-user");
>          String emailHeader = 
> ConfigurationManager.getProperty("authentication.shib.email-header");
> + String emailDefault = 
> ConfigurationManager.getProperty("authentication.shib.email-default");
>          
>          String email = null;
>          
> @@ -82,6 +83,11 @@
>              EPerson p = context.getCurrentUser();
>              if(p != null) email = p.getEmail();
>          }
> +
> + //Check to see if they provided a default account
> + if(email == null && emailDefault != null){
> + email = emailDefault;
> + }
>          
>          if(email == null){
>              log.error("No email is given, you're denied access by Shib, 
> please release email address");

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.dspace.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to