[DS-309] Shiboleth default roles are applied also to anonymous user and user logged-in with other methods

git-svn-id: http://scm.dspace.org/svn/repo/dspace/trunk@4308 9c30dcfa-912a-0410-8fc2-9e0234be79fd

dspace-api/src/main/java/org/dspace/authenticate/AuthenticationMethod.java

@@ -160,26 +160,26 @@ public interface AuthenticationMethod {
     public boolean isImplicit();
 
     /**
-     * Get list of extra groups that user implicitly belongs to.
+     * Get list of extra groups that user implicitly belongs to. Note that this
-     * Returns IDs of any EPerson-groups that the user authenticated by
+     * method will be invoked regardless of the authentication status of the
-     * this request is <em>implicitly</em> a member of -- e.g.
+     * user (logged-in or not) e.g. a group that depends on the client
-     * a group that depends on the client network-address.
+     * network-address.
      * <p>
      * It might make sense to implement this method by itself in a separate
-     * authentication method that just adds special groups, if the
+     * authentication method that just adds special groups, if the code doesn't
-     * code doesn't belong with any existing auth method.
+     * belong with any existing auth method. The stackable authentication system
-     * The stackable authentication system was designed expressly to
+     * was designed expressly to separate functions into "stacked" methods to
-     * separate functions into "stacked" methods to keep your
+     * keep your site-specific code modular and tidy.
-     * site-specific code  modular and tidy.
+     * 
-     *
      * @param context
-     *  A valid DSpace context.
+     *            A valid DSpace context.
-     *
+     * 
      * @param request
-     *  The request that started this operation, or null if not applicable.
+     *            The request that started this operation, or null if not
-     *
+     *            applicable.
-     * @return array of EPerson-group IDs, possibly 0-length, but
+     * 
-     * never <code>null</code>.
+     * @return array of EPerson-group IDs, possibly 0-length, but never
+     *         <code>null</code>.
      */
     public int[] getSpecialGroups(Context context, HttpServletRequest request)
         throws SQLException;

dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java

@@ -203,6 +203,8 @@ public class ShibAuthentication implements AuthenticationMethod
         {
             // the person exists, just return ok
             context.setCurrentUser(eperson);
+            request.getSession().setAttribute("shib.authenticated",
+                    new Boolean("true"));
         }
 
         return AuthenticationMethod.SUCCESS;
@@ -215,7 +217,13 @@ public class ShibAuthentication implements AuthenticationMethod
      */
     public int[] getSpecialGroups(Context context, HttpServletRequest request)
     {
-
+        // no user logged in or user not logged from shibboleth
+        if (context.getCurrentUser() == null
+                || request.getSession().getAttribute("shib.authenticated") == null)
+        {
+            return new int[0];
+        }
+                
         if (request.getSession().getAttribute("shib.specialgroup") != null)
         {
             return (int[]) request.getSession().getAttribute(

dspace/CHANGES

@@ -78,6 +78,7 @@
  - [DS-261] Community Admin JSPUI: porting of the DS-228 patch
  - [DS-271] Make the OAI DC crosswalk configurable
  - [DS-260] Template item some times has owningCollection filled and some times not
+ - [DS-309] Shiboleth default roles are applied also to anonymous user and user logged-in with other methods
 
 (Tim Donohue)
  - [DS-218] Cannot add/remove email subscriptions from Profile page in XMLUI