Merge pull request #196 from LongsightGroup/DS-1503

DS-1503 ShibAuthentication depends on use of non-recommended Apache UseHeaders setting

dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java

@@ -29,6 +29,7 @@ import java.util.Set;
 
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.dspace.authorize.AuthorizeException;
 
@@ -301,7 +302,7 @@ public class ShibAuthentication implements AuthenticationMethod
 			}
 
 			// Get the Shib supplied affiliation or use the default affiliation
-			List<String> affiliations = findMultipleHeaders(request, roleHeader);
+			List<String> affiliations = findMultipleAttributes(request, roleHeader);
 			if (affiliations == null) {
 				if (defaultRoles != null)
 					affiliations = Arrays.asList(defaultRoles.split(","));
@@ -577,7 +578,7 @@ public class ShibAuthentication implements AuthenticationMethod
 
 		// 1) First, look for a netid header.
 		if (netidHeader != null) {
-			String netid = findSingleHeader(request,netidHeader);
+			String netid = findSingleAttribute(request,netidHeader);
 
 			if (netid != null) {
 				foundNetID = true;
@@ -592,7 +593,7 @@ public class ShibAuthentication implements AuthenticationMethod
 
 		// 2) Second, look for an email header.
 		if (eperson == null && emailHeader != null) {
-			String email = findSingleHeader(request,emailHeader);
+			String email = findSingleAttribute(request,emailHeader);
 
 			if (email != null) {
 				foundEmail = true;
@@ -670,10 +671,10 @@ public class ShibAuthentication implements AuthenticationMethod
 		String lnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","lastname-header");
 
 		// Header values
-		String netid = findSingleHeader(request,netidHeader);
-		String email = findSingleHeader(request,emailHeader);
-		String fname = findSingleHeader(request,fnameHeader);
-		String lname = findSingleHeader(request,lnameHeader);
+		String netid = findSingleAttribute(request,netidHeader);
+		String email = findSingleAttribute(request,emailHeader);
+		String fname = findSingleAttribute(request,fnameHeader);
+		String lname = findSingleAttribute(request,lnameHeader);
 
 		if ( email == null || fname == null || lname == null) {
 			// We require that there be an email, first name, and last name. If we
@@ -756,10 +757,10 @@ public class ShibAuthentication implements AuthenticationMethod
 		String fnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","firstname-header");
 		String lnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","lastname-header");
 
-		String netid = findSingleHeader(request,netidHeader);
-		String email = findSingleHeader(request,emailHeader);
-		String fname = findSingleHeader(request,fnameHeader);
-		String lname = findSingleHeader(request,lnameHeader);
+		String netid = findSingleAttribute(request,netidHeader);
+		String email = findSingleAttribute(request,emailHeader);
+		String fname = findSingleAttribute(request,fnameHeader);
+		String lname = findSingleAttribute(request,lnameHeader);
 
 		// Truncate values of parameters that are too big.
 		if (fname.length() > NAME_MAX_SIZE) {
@@ -799,7 +800,7 @@ public class ShibAuthentication implements AuthenticationMethod
 		for (String header : metadataHeaderMap.keySet()) {
 
 			String field = metadataHeaderMap.get(header);
-			String value = findSingleHeader(request, header);
+			String value = findSingleAttribute(request, header);
 
 			// Truncate values
 			if (value == null) {
@@ -1067,15 +1068,24 @@ public class ShibAuthentication implements AuthenticationMethod
 	 * This method will not interpret the header value in any way.
 	 * 
 	 * 
-	 * @param request The HTTP request to look for headers values on.
-	 * @param name The name of the header
-	 * @return The value of the header requested, or null if none found.
+	 * @param request The HTTP request to look for values in.
+	 * @param name The name of the attribute or header
+	 * @return The value of the attribute or header requested, or null if none found.
 	 */
-	private String findHeader(HttpServletRequest request, String name) {
-		String value = request.getHeader(name);
-		if (value == null)
+	private String findAttribute(HttpServletRequest request, String name) {
+		// First try to get the value from the attribute
+		String value = (String) request.getAttribute(name);
+		if (StringUtils.isEmpty(value))
+			value = (String) request.getAttribute(name.toLowerCase());
+		if (StringUtils.isEmpty(value))
+			value = (String) request.getAttribute(name.toUpperCase());
+
+		// Second try to get the value from the header
+		if (StringUtils.isEmpty(value))
+		    value = request.getHeader(name);
+		if (StringUtils.isEmpty(value))
 			value = request.getHeader(name.toLowerCase());
-		if (value == null)
+		if (StringUtils.isEmpty(value))
 			value = request.getHeader(name.toUpperCase());
 		
 		return value;
@@ -1089,7 +1099,7 @@ public class ShibAuthentication implements AuthenticationMethod
 	 * 
 	 * Shibboleth attributes may contain multiple values separated by a
 	 * semicolon. This method will return the first value in the attribute. If
-	 * you need multiple values use findMultipleHeaders instead.
+	 * you need multiple values use findMultipleAttributes instead.
 	 * 
 	 * If no attribute is found then null is returned.
 	 * 
@@ -1097,9 +1107,9 @@ public class ShibAuthentication implements AuthenticationMethod
 	 * @param name The name of the header
 	 * @return The value of the header requested, or null if none found.
 	 */
-	private String findSingleHeader(HttpServletRequest request, String name) {
+	private String findSingleAttribute(HttpServletRequest request, String name) {
 
-		String value = findHeader(request, name);
+		String value = findAttribute(request, name);
 
 
 		if (value != null) {
@@ -1125,8 +1135,8 @@ public class ShibAuthentication implements AuthenticationMethod
 	}
 
 	/**
-	 * Find a particular Shibboleth header value and return the all values.
-	 * The header name uses a bit of fuzzy logic, so it will first try case
+	 * Find a particular Shibboleth hattributeeader value and return the values.
+	 * The attribute name uses a bit of fuzzy logic, so it will first try case
 	 * sensitive, then it will try lowercase, and finally it will try uppercase.
 	 * 
 	 * Shibboleth attributes may contain multiple values separated by a
@@ -1136,11 +1146,11 @@ public class ShibAuthentication implements AuthenticationMethod
 	 * If no attributes are found then null is returned.
 	 * 
 	 * @param request The HTTP request to look for headers values on.
-	 * @param name The name of the header
+	 * @param name The name of the attribute
 	 * @return The list of values found, or null if none found.
 	 */
-	private List<String> findMultipleHeaders(HttpServletRequest request, String name) {
-		String values = findHeader(request, name);
+	private List<String> findMultipleAttributes(HttpServletRequest request, String name) {
+		String values = findAttribute(request, name);
 
 		if (values == null)
 			return null;