[dspace-tech] Wrong redirect URL after shibboleth login

[David Williams]

Hi all -

I appear to have been bitten by the bug submitted here:

https://jira.lyrasis.org/browse/DS-4139

Because I'm running DSpace from the root context, an extra slash is added 
to the return URL, based on this directive:

 if (!(port == 443 || port == 80))
 returnURL += ":" + port;
 returnURL += "/" + contextPath + "/shibboleth-login"; 

Under the circumstances, my contextPath is empty, so I  end up with 
https://myserver.edu//shiboleth-login, which means the authentication 
attributes never make it to DSpace (I think).

I'd like to add an if/else conditional test along the lines of if 
(contextPath == null || contextPath.length() == 0) returnURL += 
"/shibboleth-login"; else and then recompile the java class.

How can I do that and subsequently recompile and reinstall only this 
updated shibboleth authentication class?

Thanks,

- Dave Williams

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/f069abd0-a629-44af-baf0-7526818c0f01n%40googlegroups.com.

Re: [dspace-tech] dspace not picking up Shibboleth attributes to authenticate

[David Williams]

Hi, Julie -

I'm experiencing the exact same issue, using DSpace 6.3.

What specifically did you change in the httpd.conf to stop the redirection 
following the handoff back to Apache from the IdP?

Thanks in advance for your assistance,

- Dave

On Thursday, February 23, 2017 at 8:22:35 PM UTC-5 jbel...@gmail.com wrote:

>
> I have shibboleth now working.  Adding this line 
>  "log4j.logger.org.dspace.authenticate.ShibAuthentication=DEBUG” was the 
> biggest help.  Maybe should be more prominent in the documentation :)  
>
> Your testing suggestions found the problem in our httpd.conf which forced 
> a redirect to the /dspace directory after it came back from the IdP.  Still 
> have the double slashes  in the string.  That is actually created here 
> (probably another configuration issue further up the line)  - using the 
> Login function from the main page and not by any redirect or addition by 
> apache:
>
> 2017-02-23 15:48:48,738 DEBUG org.dspace.authenticate.ShibAuthentication @ 
> Redirecting user to Shibboleth initiator: 
> /Shibboleth.sso/Login?target=https%3A%2F%2Ftest-dspace.ksulib.net
> %2F%2Fdspace%2Fshibboleth-login
>
> Couple of notes here though…with things working:
>
> 1.  I was never able to get /shibboleth-login to the IdP with out tomcat 
> running.
> 2.  This change created errors in Apache preventing start:
>
> configtest = ShibRequireSession must be On or Off, so I went back to the 
> On | Off
>
>
>
>
>- Replace "ShibRequireSession On" by "ShibRequestSetting 
>requireSession 1"
>
>
>- Replace "ShibRequireSession Off" by "ShibRequestSetting 
>requireSession 0”
>
> I do have one other question.  Is there any way to set all users to a 
> specific group after login rather than Anonymous?  In LDAP we were able to 
> set the default group as such:
>
> login.specialgroup = ETDR_AUTO
>
> I was thinking worse case -  use the affiliation and set all the roles to 
> the group.  I was looking at the scripting functions and could go that way 
> later. 
>
> Thank you again!
>
> On Feb 22, 2017, at 2:57 PM, Tom Desair  wrote:
>
> Can you enable debug logging for Shibboleth in DSpace by adding this line 
> "log4j.logger.org.dspace.authenticate.ShibAuthentication=DEBUG" to 
> the config/log4j.properties file and retry with the following settings:
>
>- Use AJP
>   - Make sure to have attributePrefix="AJP_" in your 
>   ApplicationDefaults element
>   - Make sure to proxy to the AJP connector with a buffer that is 
>   large enough:
>  - We always use
> - ProxyPass / ajp://localhost:8009/ retry=0
> - ProxyPassReverse / ajp://localhost:8009/
> - ProxyIOBufferSize 65536
> - Make sure the connector is enabled in the Tomcat server.xml 
>  file and supports UTF-8 encoding and large packages:
> -  redirectPort="8443" URIEncoding="UTF-8" packetSize="65536"/>
> - Secure the correct location
>   - If you run DSpace under the root of your server, make sure this is
>  - 
>  - If you run DSpace under the the URL "/dspace", the location 
>   should be
>  - 
>  - Make sure there are no double slashes in the redirect URL your 
>   browser receives (which is the case in your first example).
>- Since you are using Apache 2.4 and Shibboleth 2.5, please replace 
>the following in your Apache configuration:
>   - Replace "ShibRequireSession On" by "ShibRequestSetting 
>   requireSession 1"
>   - Replace "ShibRequireSession Off" by "ShibRequestSetting 
>   requireSession 0"
>- You can leave the values for lazysession.secure and the DSpace netid 
>and email header settings as you configured them.
>
> Can you also test this:
>
>- Shutdown tomcat and visit /shibboleth-login after 
>closing all browser windows. This should take you to your IdP login page 
>even if DSpace is not running.
>- Have you tried without AJP and using "ShibUseHeaders On" (note that 
>this is less secure and not recommended, but it would still be interesting 
>to know if this works).
>
> I'm interested to see what the DSpace logs show when you execute these 
> tests. Please also provide some information on the redirect URLs you are 
> seeing.
>
>  
> [image: logo] Tom Desair
> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586
> Esperantolaan 4, Heverlee 3001, Belgium
> www.atmire.com 
> 
>
> 2017-02-22 16:24 GMT+01:00 Jbell KSU Gmail :
>
>>
>> Thank you for the reply - but that did not solve the problem.  I have the 
>> same response in all the logs as prior to the change.  
>>
>> I did try several variations on that theme but still have not hit the 
>> right combination yet.  Further information that I missed last night:
>>
>> Running dSpace 5.4
>>
>> # Whether to use lazy sessions or active sessions.
>> lazysession