Fixed default value of authentication-shibboleth.lazysession.loginurl

dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java

@@ -33,8 +33,8 @@ import org.dspace.content.NonUniqueMetadataException;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.MetadataFieldService;
 import org.dspace.content.service.MetadataSchemaService;
-import org.dspace.core.ConfigurationManager;
 import org.dspace.core.Context;
+import org.dspace.core.Utils;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -493,23 +493,9 @@ public class ShibAuthentication implements AuthenticationMethod {
         boolean lazySession = configurationService.getBooleanProperty("authentication-shibboleth.lazysession", false);
 
         if ( lazySession ) {
-            String shibURL = configurationService.getProperty("authentication-shibboleth.lazysession.loginurl");
+            String shibURL = getShibURL(request);
-            boolean forceHTTPS =
-                configurationService.getBooleanProperty("authentication-shibboleth.lazysession.secure",true);
-
-            // Shibboleth authentication initiator
-            if (shibURL == null || shibURL.length() == 0) {
-                shibURL = "/Shibboleth.sso/Login";
-            }
-            shibURL = shibURL.trim();
-
-            // Determine the return URL, where shib will send the user after authenticating. We need it to go back
-            // to DSpace's shibboleth-login url so the we will extract the user's information and locally
-            // authenticate them.
-            String host = request.getServerName();
-            int port = request.getServerPort();
-            String contextPath = request.getContextPath();
 
+            // Determine the client redirect URL, where to redirect after authenticating.
             String redirectUrl = null;
             if (request.getHeader("Referer") != null && StringUtils.isNotBlank(request.getHeader("Referer"))) {
                 redirectUrl = request.getHeader("Referer");
@@ -518,7 +504,10 @@ public class ShibAuthentication implements AuthenticationMethod {
                 redirectUrl = request.getHeader("X-Requested-With");
             }
 
-            String returnURL = ConfigurationManager.getProperty("dspace.baseUrl") + "/api/authn/shibboleth"
+            // Determine the server return URL, where shib will send the user after authenticating.
+            // We need it to go back to DSpace's shibboleth-login url so we will extract the user's information
+            // and locally authenticate them.
+            String returnURL = configurationService.getProperty("dspace.server.url") + "/api/authn/shibboleth"
                     + ((redirectUrl != null) ? "?redirectUrl=" + redirectUrl : "");
 
             try {
@@ -1257,6 +1246,28 @@ public class ShibAuthentication implements AuthenticationMethod {
         return valueList;
     }
 
+    private String getShibURL(HttpServletRequest request) {
+        String shibURL = configurationService.getProperty("authentication-shibboleth.lazysession.loginurl");
+        boolean forceHTTPS =
+                configurationService.getBooleanProperty("authentication-shibboleth.lazysession.secure",true);
+
+        // Shibboleth authentication initiator
+        if (shibURL == null || shibURL.length() == 0) {
+            shibURL = "/Shibboleth.sso/Login";
+        }
+        shibURL = shibURL.trim();
+
+        // Shibboleth url must be absolute
+        if (shibURL.startsWith("/")) {
+            String serverUrl = Utils.getBaseUrl(configurationService.getProperty("dspace.server.url"));
+            shibURL = serverUrl + shibURL;
+            if ((request.isSecure() || forceHTTPS) && shibURL.startsWith("http://")) {
+                shibURL = shibURL.replace("http://", "https://");
+            }
+        }
+        return shibURL;
+
+    }
 
 }
 

dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthenticationRestControllerIT.java

@@ -393,6 +393,56 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
             .andExpect(status().isMethodNotAllowed());
     }
 
+    @Test
+    public void testShibbolethLoginURLWithDefaultLazyURL() throws Exception {
+        context.turnOffAuthorisationSystem();
+        //Enable Shibboleth login
+        configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
+
+        //Create a reviewers group
+        Group reviewersGroup = GroupBuilder.createGroup(context)
+                .withName("Reviewers")
+                .build();
+
+        //Faculty members are assigned to the Reviewers group
+        configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
+        context.restoreAuthSystemState();
+
+        getClient().perform(post("/api/authn/login").header("Referer", "http://my.uni.edu"))
+                .andExpect(status().isUnauthorized())
+                .andExpect(header().string("WWW-Authenticate",
+                        "shibboleth realm=\"DSpace REST API\", " +
+                                "location=\"https://localhost/Shibboleth.sso/Login?" +
+                                "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
+                                "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
+    }
+
+    @Test
+    public void testShibbolethLoginURLWithConfiguredLazyURL() throws Exception {
+        context.turnOffAuthorisationSystem();
+        //Enable Shibboleth login
+        configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
+        configurationService.setProperty("authentication-shibboleth.lazysession.loginurl",
+                "http://shibboleth.org/Shibboleth.sso/Login");
+
+        //Create a reviewers group
+        Group reviewersGroup = GroupBuilder.createGroup(context)
+                .withName("Reviewers")
+                .build();
+
+        //Faculty members are assigned to the Reviewers group
+        configurationService.setProperty("authentication-shibboleth.role.faculty", "Reviewers");
+        context.restoreAuthSystemState();
+
+        getClient().perform(post("/api/authn/login").header("Referer", "http://my.uni.edu"))
+                .andExpect(status().isUnauthorized())
+                .andExpect(header().string("WWW-Authenticate",
+                        "shibboleth realm=\"DSpace REST API\", " +
+                                "location=\"http://shibboleth.org/Shibboleth.sso/Login?" +
+                                "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
+                                "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
+    }
+
     @Test
     public void testShibbolethLoginRequestAttribute() throws Exception {
         context.turnOffAuthorisationSystem();
@@ -412,7 +462,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
                 .andExpect(status().isUnauthorized())
                 .andExpect(header().string("WWW-Authenticate",
                         "shibboleth realm=\"DSpace REST API\", " +
-                                "location=\"/Shibboleth.sso/Login?" +
+                                "location=\"https://localhost/Shibboleth.sso/Login?" +
                                 "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
                                 "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
 
@@ -448,7 +498,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
                 .andExpect(status().isUnauthorized())
                 .andExpect(header().string("WWW-Authenticate",
                         "ip realm=\"DSpace REST API\", shibboleth realm=\"DSpace REST API\", " +
-                                "location=\"/Shibboleth.sso/Login?" +
+                                "location=\"https://localhost/Shibboleth.sso/Login?" +
                                 "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
                                 "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
 
@@ -506,7 +556,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
                 .andExpect(status().isOk())
                 .andExpect(header().string("WWW-Authenticate",
                         "shibboleth realm=\"DSpace REST API\", " +
-                                "location=\"/Shibboleth.sso/Login?" +
+                                "location=\"https://localhost/Shibboleth.sso/Login?" +
                                 "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
                                 "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\"" +
                                 ", password realm=\"DSpace REST API\""));
@@ -616,7 +666,7 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
             .andExpect(status().isOk())
             .andExpect(header().string("WWW-Authenticate",
                     "shibboleth realm=\"DSpace REST API\", " +
-                            "location=\"/Shibboleth.sso/Login?" +
+                            "location=\"https://localhost/Shibboleth.sso/Login?" +
                             "target=http%3A%2F%2Flocalhost%2Fapi%2Fauthn%2Fshibboleth%3F" +
                             "redirectUrl%3Dhttp%3A%2F%2Fmy.uni.edu\""));
 

dspace/config/modules/authentication-shibboleth.cfg

@@ -38,7 +38,7 @@
 authentication-shibboleth.lazysession = true
 
 # The url to start a shibboleth session (only for lazy sessions)
-authentication-shibboleth.lazysession.loginurl = ${dspace.baseUrl}/Shibboleth.sso/Login
+authentication-shibboleth.lazysession.loginurl = /Shibboleth.sso/Login
 
 # Force HTTPS when authenticating (only for lazy sessions)
 authentication-shibboleth.lazysession.secure = true