[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Shibboleth and local login



What about:

To avoid the loop, in auth.pl I've changed this:

  ??? my $url = URI->new( $session->get_repository->get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no shibboleth, so the server keep redirecting over and over

  ??to:

  ???? my $url = "https://<mysite>/shibboleth/login";

because of (from perl_lib/EPrints/Apache/Auth.pm):

 ????????????????? if( $repository->current_url ne 
$repository->current_url( path => "cgi", "users/login" ) )
 ????????????????? {
EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login 
first" );
 ????????????????????????? EPrints::Apache::AnApache::header_out( $r, 
"Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r );
 ????????????????????????? return DONE;
 ????????????????? }

This create a loop in authentication because it doesn'nt check for 
/shibboleth/login but just for /cgi/users/login.

Il 07/02/2018 14:48, Yuri ha scritto:
> Il 07/02/2018 11:04, David R Newman ha scritto:
>> Hi Yuri,
>>
>> Actually you will find if you click on the the Login link it actually
>> takes you to /cgi/users/home, when you have configured Shibboleth, this
>> will redirect to /shibboleth/login rather than /cgi/users/login.
>>    ?If you create a link directly to /cgi/users/login this will allow you to
>> still use local login.
> No, I tried but it sends me to Shibboleth auth. This is because
> /cgi/users/login is sent to https and thus to shibboleth because / in
> https is protected by shibboleth. Just protecting /shibboleth in https
> does not work. You can login but you get no user from apache. I think it
> has to do with remote_user be passed only when you've a protected
> location, so if you're on /cgi you don't get the user while if you're on
> /shibboleth yes.
>
> Can you share your https/eprints config? I'm using Debian stretch and
> Eprints 3.3.16 installed from tar.gz
>
>> I go direct to /cgi/users/login all the time
>> for repositories I support where I am not part of the institution
>> itself.
>>
>> The only downside of having a direct login link is you may not be
>> logged into the page you clicked the local login link on. ?However, I
>> think you can probably do something clever with you template to write
>> the current path into the href for html of this link.
>> On a side issue, I am the most recent person to significantly update
>> the Shibboleth page on wiki.eprints.org. ?I am aware of a couple of
>> errors. ?One is will the /shibboleth/login code without user creation.
> The user is created using login-autocreate
>
>>   ?I have been meaning to get round to fixing this. ?Also, there is an
>> issue with the /shibboleth/login code that does create user accounts
>> because it does not render correctly and misses out a load of empty
>> string definitions in the following line:
>>
>> my ($username, $given, $family, $email) = (undef, '', '', '');
> Yes, I've this but just cosmetic. Thanks for your help.
>
>> I will endeavour to correct these issues today.
> Thanks!
>
>> Regards
>>
>> David Newman
>>
>> On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
>>> Hi!
>>>
>>> I'm following: https://wiki.eprints.org/w/Webserver_authentication
>>>
>>>   ??I've found this in :
>>>
>>>   ???????????????? if( $repository->current_url ne
>>> $repository->current_url( path => "cgi", "users/login" ) )
>>>   ???????????????? {
>>> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login
>>> first" );
>>>   ???????????????????????? EPrints::Apache::AnApache::header_out( $r,
>>> "Location", $login_url );
>>> EPrints::Apache::AnApache::send_http_header( $r );
>>>   ???????????????????????? return DONE;
>>>   ???????????????? }
>>>
>>> this create a loop in authentication because it doesn'nt check for
>>> /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
>>>
>>> My question is also how I can insert a link to a local
>>> authentication
>>> because if I follow a link to /cgi/users/login, I get redirected to
>>> shibboleth auth. Is it because of the lines above?
>>>
>>> To avoid the loop, in auth.pl I've changed this:
>>>
>>>   ??? my $url = URI->new( $session->get_repository->get_conf(
>>> "base_url" )
>>> . "/shibboleth/login" ); <- base_url is http, no shibboleth, so the
>>> server keep redirecting over and over
>>>
>>>   ??to:
>>>
>>>   ???? my $url = "https://<mysite>/shibboleth/login";
>>>
>>> So, I think the guide is incomplete or there's something not clear to
>>> me...
>>>
>>> Il 14/12/2017 09:11, Yuri ha scritto:
>>>> Ok, so I've just to add a link to /shibboleth/login in
>>>> /cgi/users/login for people which want to login using shibboleth,
>>>> isn't it?
>>>>
>>>> For redirects it is not a problem, but I think /cgi/users/login
>>>> already save the loginparams so send you to the wanted page.
>>>>
>>>>
>>>> Il 13/12/2017 11:25, David R Newman ha scritto:
>>>>> Hi Yuri,
>>>>>
>>>>> The actual login page is http://HOSTNAME/cgi/users/login?you
>>>>> could
>>>>> include this link for people who want to login using local login.
>>>>>   ??However, must the links that require you to login will still
>>>>> always
>>>>> redirect to shibboleth, so you will have to instruct you local
>>>>> uses
>>>>> that they must click on the local login to ensure they are logged
>>>>> in
>>>>> before trying to use any of the logged in user functionality,
>>>>>
>>>>> You might want to do something clever with the login link to
>>>>> ensure the
>>>>> user gets returned to the same page they were on before they
>>>>> realised
>>>>> they need to login. ?I am not sure how to do this off the top of
>>>>> my
>>>>> head.
>>>>>
>>>>> Regards
>>>>>
>>>>> David Newman
>>>>>
>>>>> On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
>>>>>> Hi!
>>>>>>
>>>>>>   ???reading and implementing this guide:
>>>>>>
>>>>>> https://wiki.eprints.org/w/Shibboleth
>>>>>>
>>>>>>   ???every login is handled by Shibboleth. Is there a way to let
>>>>>> the
>>>>>> user
>>>>>> choose betsween local and Shibboleth login?
>>>>>>
>>>>>>
>>>>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
>>>>>> rints-
>>>>>> tech
>>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>>>> *** Options:
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
>>> tech
>>> *** Archive: http://www.eprints.org/tech.php/
>>> *** EPrints community wiki: http://wiki.eprints.org/
>>> *** EPrints developers Forum: http://forum.eprints.org/
>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> *** Archive: http://www.eprints.org/tech.php/
>> *** EPrints community wiki: http://wiki.eprints.org/
>> *** EPrints developers Forum: http://forum.eprints.org/
>
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/