New modules/authentication-shibboleth.cfg

git-svn-id: http://scm.dspace.org/svn/repo/dspace/trunk@6565 9c30dcfa-912a-0410-8fc2-9e0234be79fd

dspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java

@@ -56,10 +56,10 @@ public class ShibAuthentication implements AuthenticationMethod
             log.debug("header:" + name + "=" + request.getHeader(name));
         }
 
-        boolean isUsingTomcatUser = ConfigurationManager.getBooleanProperty("authentication.shib.email-use-tomcat-remote-user");
-        String emailHeader = ConfigurationManager.getProperty("authentication.shib.email-header");
-        String fnameHeader = ConfigurationManager.getProperty("authentication.shib.firstname-header");
-        String lnameHeader = ConfigurationManager.getProperty("authentication.shib.lastname-header");
+        boolean isUsingTomcatUser = ConfigurationManager.getBooleanProperty("authentication-shibboleth", "email-use-tomcat-remote-user");
+        String emailHeader = ConfigurationManager.getProperty("authentication-shibboleth", "email-header");
+        String fnameHeader = ConfigurationManager.getProperty("authentication-shibboleth", "firstname-header");
+        String lnameHeader = ConfigurationManager.getProperty("authentication-shibboleth", "lastname-header");
 
         String email = null;
         String fname = null;
@@ -144,7 +144,7 @@ public class ShibAuthentication implements AuthenticationMethod
         // auto create user if needed
         if (eperson == null
                 && ConfigurationManager
-                        .getBooleanProperty("authentication.shib.autoregister"))
+                        .getBooleanProperty("authentication-shibboleth", "autoregister"))
         {
             log.info(LogManager.getHeader(context, "autoregister", "email="
                     + email));
@@ -217,9 +217,9 @@ public class ShibAuthentication implements AuthenticationMethod
 
         java.util.Set groups = new java.util.HashSet();
         String roleHeader = ConfigurationManager
-                .getProperty("authentication.shib.role-header");
+                .getProperty("authentication-shibboleth", "role-header");
         boolean roleHeader_ignoreScope = ConfigurationManager
-                .getBooleanProperty("authentication.shib.role-header.ignore-scope");
+                .getBooleanProperty("authentication-shibboleth", "role-header.ignore-scope");
         if (roleHeader == null || roleHeader.trim().length() == 0)
         {
             roleHeader = "Shib-EP-UnscopedAffiliation";
@@ -234,7 +234,7 @@ public class ShibAuthentication implements AuthenticationMethod
 
         // default role when fully authN but not releasing any roles?
         String defaultRoles = ConfigurationManager
-                .getProperty("authentication.shib.default-roles");
+                .getProperty("authentication-shibboleth", "default-roles");
         if (affiliations == null && defaultRoles != null)
         {
             affiliations = defaultRoles;
@@ -261,11 +261,11 @@ public class ShibAuthentication implements AuthenticationMethod
 
                 // perform mapping here if necessary
                 String groupLabels = ConfigurationManager
-                        .getProperty("authentication.shib.role." + affiliation);
+                        .getProperty("authentication-shibboleth", "role." + affiliation);
                 if (groupLabels == null || groupLabels.trim().length() == 0)
                 {
                     groupLabels = ConfigurationManager
-                            .getProperty("authentication.shib.role."
+                            .getProperty("authentication-shibboleth", "role."
                                     + affiliation.toLowerCase());
                 }
 

dspace-api/src/test/resources/dspace-test.cfg

@@ -364,86 +364,13 @@ handle.dir = ${dspace.dir}/handle-server
 
 #### Stackable Authentication Methods #####
 
-# Stack of authentication methods
-#  (See org.dspace.authenticate.AuthenticationManager)
-# Example:
-# plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
-#       org.dspace.authenticate.ShibAuthentication, \
-#        org.dspace.authenticate.PasswordAuthentication
-plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
-        org.dspace.authenticate.PasswordAuthentication
 
-#### Shibboleth Authentication Configuration Settings ####
-# Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view
-# for installation detail.
-#
-# DSpace requires email as user's credential. There are 2 ways of providing
-# email to DSpace:
-# 1) by explicitly specifying to the user which attribute (header)
-#    carries the email address.
-# 2) by turning on the user-email-using-tomcat=true which means
-#    the software will try to acquire the user's email from Tomcat
-# The first option takes PRECEDENCE when specified. Both options can
-# be enabled to allow fallback.
 
-# this option below specifies that the email comes from the mentioned header.
-# The value is CASE-Sensitive.
-authentication.shib.email-header = MAIL
 
-# optional. Specify the header that carries user's first name
-# this is going to be used for creation of new-user
-authentication.shib.firstname-header = SHIB-EP-GIVENNAME
 
-# optional. Specify the header that carries user's last name
-# this is used for creation of new user
-authentication.shib.lastname-header = SHIB-EP-SURNAME
 
-# this option below forces the software to acquire the email from Tomcat.
-authentication.shib.email-use-tomcat-remote-user = true
 
-# should we allow new users to be registered automtically
-# if the IdP provides sufficient info (and user not exists in DSpace)
-authentication.shib.autoregister = true
 
-# these two header here specify which attribute that is responsible
-# for providing user's roles to DSpace and unscope the attributes if needed.
-# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
-# ignore-scope is defaulted to 'false'.
-# The value is specified in AAP.xml (Shib 1.3.x) or
-# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
-# The values provided in this header are separated by semi-colon or comma.
-# If your sp only provides scoped role header, you need to set
-# authentication.shib.role-header.ignore-Scope as true.
-# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
-# you have to  make your setting as:
-# authentication.shib.role-header = Shib-EP-ScopedAffiliation
-# authentication.shib.role-header.ignore-scope = true
-
-# authentication.shib.role-header = Shib-EP-UnscopedAffiliation
-authentication.shib.role-header.ignore-scope = false
-
-# when user is fully authN on IdP but would not like to release
-# his/her roles to DSpace (for privacy reason?), what should be
-# the default roles be given to such users?
-# The values are separated by semi-colon or comma
-# authentication.shib.default-roles = Staff, Walk-ins
-
-# The following mappings specify role mapping between IdP and Dspace.
-# the left side of the entry is IdP's role (prefixed with
-# "authentication.shib.role.") which will be mapped to
-# the right entry from DSpace. DSpace's group as indicated on the
-# right entry has to EXIST in DSpace, otherwise user will be identified
-# as 'anonymous'. Multiple values on the right entry should be separated
-# by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping
-# will be done when the IdP groups entry are not listed below (i.e.
-# if "X" group in IdP is not specified here, then it will be mapped
-# to "X" group in DSpace if it exists, otherwise it will be mapped
-# to simply 'anonymous')
-#
-# Given sufficient demand, future release could support regex for the mapping
-# special characters need to be escaped by \
-authentication.shib.role.Senior\ Researcher = Researcher, Staff
-authentication.shib.role.Librarian = Administrator
 
 #### PasswordAuthentication options ####
 

dspace-api/src/test/resources/dspaceFolder/config/dspace.cfg

@@ -368,87 +368,6 @@ handle.dir = ${dspace.dir}/handle-server
 
 #### Stackable Authentication Methods #####
 
-# Stack of authentication methods
-#  (See org.dspace.authenticate.AuthenticationManager)
-# Example:
-# plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
-#       org.dspace.authenticate.ShibAuthentication, \
-#        org.dspace.authenticate.PasswordAuthentication
-plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
-        org.dspace.authenticate.PasswordAuthentication
-
-#### Shibboleth Authentication Configuration Settings ####
-# Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view
-# for installation detail.
-#
-# DSpace requires email as user's credential. There are 2 ways of providing
-# email to DSpace:
-# 1) by explicitly specifying to the user which attribute (header)
-#    carries the email address.
-# 2) by turning on the user-email-using-tomcat=true which means
-#    the software will try to acquire the user's email from Tomcat
-# The first option takes PRECEDENCE when specified. Both options can
-# be enabled to allow fallback.
-
-# this option below specifies that the email comes from the mentioned header.
-# The value is CASE-Sensitive.
-authentication.shib.email-header = MAIL
-
-# optional. Specify the header that carries user's first name
-# this is going to be used for creation of new-user
-authentication.shib.firstname-header = SHIB-EP-GIVENNAME
-
-# optional. Specify the header that carries user's last name
-# this is used for creation of new user
-authentication.shib.lastname-header = SHIB-EP-SURNAME
-
-# this option below forces the software to acquire the email from Tomcat.
-authentication.shib.email-use-tomcat-remote-user = true
-
-# should we allow new users to be registered automtically
-# if the IdP provides sufficient info (and user not exists in DSpace)
-authentication.shib.autoregister = true
-
-# these two header here specify which attribute that is responsible
-# for providing user's roles to DSpace and unscope the attributes if needed.
-# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
-# ignore-scope is defaulted to 'false'.
-# The value is specified in AAP.xml (Shib 1.3.x) or
-# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
-# The values provided in this header are separated by semi-colon or comma.
-# If your sp only provides scoped role header, you need to set
-# authentication.shib.role-header.ignore-Scope as true.
-# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
-# you have to  make your setting as:
-# authentication.shib.role-header = Shib-EP-ScopedAffiliation
-# authentication.shib.role-header.ignore-scope = true
-
-# authentication.shib.role-header = Shib-EP-UnscopedAffiliation
-authentication.shib.role-header.ignore-scope = false
-
-# when user is fully authN on IdP but would not like to release
-# his/her roles to DSpace (for privacy reason?), what should be
-# the default roles be given to such users?
-# The values are separated by semi-colon or comma
-# authentication.shib.default-roles = Staff, Walk-ins
-
-# The following mappings specify role mapping between IdP and Dspace.
-# the left side of the entry is IdP's role (prefixed with
-# "authentication.shib.role.") which will be mapped to
-# the right entry from DSpace. DSpace's group as indicated on the
-# right entry has to EXIST in DSpace, otherwise user will be identified
-# as 'anonymous'. Multiple values on the right entry should be separated
-# by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping
-# will be done when the IdP groups entry are not listed below (i.e.
-# if "X" group in IdP is not specified here, then it will be mapped
-# to "X" group in DSpace if it exists, otherwise it will be mapped
-# to simply 'anonymous')
-#
-# Given sufficient demand, future release could support regex for the mapping
-# special characters need to be escaped by \
-authentication.shib.role.Senior\ Researcher = Researcher, Staff
-authentication.shib.role.Librarian = Administrator
-
 #### PasswordAuthentication options ####
 
 # Only emails ending in the following domains are allowed to self-register

dspace-api/src/test/resources/dspaceFolder/config/modules/authentication-shibboleth.cfg

@@ -0,0 +1,71 @@
+#### Shibboleth Authentication Configuration Settings ####
+# Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view
+# for installation detail.
+#
+# DSpace requires email as user's credential. There are 2 ways of providing
+# email to DSpace:
+# 1) by explicitly specifying to the user which attribute (header)
+#    carries the email address.
+# 2) by turning on the user-email-using-tomcat=true which means
+#    the software will try to acquire the user's email from Tomcat
+# The first option takes PRECEDENCE when specified. Both options can
+# be enabled to allow fallback.
+
+# this option below specifies that the email comes from the mentioned header.
+# The value is CASE-Sensitive.
+email-header = MAIL
+
+# optional. Specify the header that carries user's first name
+# this is going to be used for creation of new-user
+firstname-header = SHIB-EP-GIVENNAME
+
+# optional. Specify the header that carries user's last name
+# this is used for creation of new user
+lastname-header = SHIB-EP-SURNAME
+
+# this option below forces the software to acquire the email from Tomcat.
+email-use-tomcat-remote-user = true
+
+# should we allow new users to be registered automtically
+# if the IdP provides sufficient info (and user not exists in DSpace)
+autoregister = true
+
+# these two header here specify which attribute that is responsible
+# for providing user's roles to DSpace and unscope the attributes if needed.
+# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
+# ignore-scope is defaulted to 'false'.
+# The value is specified in AAP.xml (Shib 1.3.x) or
+# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
+# The values provided in this header are separated by semi-colon or comma.
+# If your sp only provides scoped role header, you need to set
+# role-header.ignore-Scope as true.
+# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
+# you have to  make your setting as:
+# role-header = Shib-EP-ScopedAffiliation
+# role-header.ignore-scope = true
+
+# role-header = Shib-EP-UnscopedAffiliation
+role-header.ignore-scope = false
+
+# when user is fully authN on IdP but would not like to release
+# his/her roles to DSpace (for privacy reason?), what should be
+# the default roles be given to such users?
+# The values are separated by semi-colon or comma
+# default-roles = Staff, Walk-ins
+
+# The following mappings specify role mapping between IdP and Dspace.
+# the left side of the entry is IdP's role (prefixed with
+# "role.") which will be mapped to
+# the right entry from DSpace. DSpace's group as indicated on the
+# right entry has to EXIST in DSpace, otherwise user will be identified
+# as 'anonymous'. Multiple values on the right entry should be separated
+# by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping
+# will be done when the IdP groups entry are not listed below (i.e.
+# if "X" group in IdP is not specified here, then it will be mapped
+# to "X" group in DSpace if it exists, otherwise it will be mapped
+# to simply 'anonymous')
+#
+# Given sufficient demand, future release could support regex for the mapping
+# special characters need to be escaped by \
+role.Senior\ Researcher = Researcher, Staff
+role.Librarian = Administrator

dspace/config/dspace.cfg

@@ -366,78 +366,6 @@ handle.dir = ${dspace.dir}/handle-server
 
 #### Stackable Authentication Methods #####
 
-#### Shibboleth Authentication Configuration Settings ####
-# Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view
-# for installation detail.
-#
-# DSpace requires email as user's credential. There are 2 ways of providing
-# email to DSpace:
-# 1) by explicitly specifying to the user which attribute (header)
-#    carries the email address.
-# 2) by turning on the user-email-using-tomcat=true which means
-#    the software will try to acquire the user's email from Tomcat
-# The first option takes PRECEDENCE when specified. Both options can
-# be enabled to allow fallback.
-
-# this option below specifies that the email comes from the mentioned header.
-# The value is CASE-Sensitive.
-authentication.shib.email-header = MAIL
-
-# optional. Specify the header that carries user's first name
-# this is going to be used for creation of new-user
-authentication.shib.firstname-header = SHIB-EP-GIVENNAME
-
-# optional. Specify the header that carries user's last name
-# this is used for creation of new user
-authentication.shib.lastname-header = SHIB-EP-SURNAME
-
-# this option below forces the software to acquire the email from Tomcat.
-authentication.shib.email-use-tomcat-remote-user = true
-
-# should we allow new users to be registered automtically
-# if the IdP provides sufficient info (and user not exists in DSpace)
-authentication.shib.autoregister = true
-
-# these two header here specify which attribute that is responsible
-# for providing user's roles to DSpace and unscope the attributes if needed.
-# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
-# ignore-scope is defaulted to 'false'.
-# The value is specified in AAP.xml (Shib 1.3.x) or
-# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
-# The values provided in this header are separated by semi-colon or comma.
-# If your sp only provides scoped role header, you need to set
-# authentication.shib.role-header.ignore-Scope as true.
-# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
-# you have to  make your setting as:
-# authentication.shib.role-header = Shib-EP-ScopedAffiliation
-# authentication.shib.role-header.ignore-scope = true
-
-# authentication.shib.role-header = Shib-EP-UnscopedAffiliation
-authentication.shib.role-header.ignore-scope = false
-
-# when user is fully authN on IdP but would not like to release
-# his/her roles to DSpace (for privacy reason?), what should be
-# the default roles be given to such users?
-# The values are separated by semi-colon or comma
-# authentication.shib.default-roles = Staff, Walk-ins
-
-# The following mappings specify role mapping between IdP and Dspace.
-# the left side of the entry is IdP's role (prefixed with
-# "authentication.shib.role.") which will be mapped to
-# the right entry from DSpace. DSpace's group as indicated on the
-# right entry has to EXIST in DSpace, otherwise user will be identified
-# as 'anonymous'. Multiple values on the right entry should be separated
-# by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping
-# will be done when the IdP groups entry are not listed below (i.e.
-# if "X" group in IdP is not specified here, then it will be mapped
-# to "X" group in DSpace if it exists, otherwise it will be mapped
-# to simply 'anonymous')
-#
-# Given sufficient demand, future release could support regex for the mapping
-# special characters need to be escaped by \
-authentication.shib.role.Senior\ Researcher = Researcher, Staff
-authentication.shib.role.Librarian = Administrator
-
 #### PasswordAuthentication options ####
 
 # Only emails ending in the following domains are allowed to self-register

dspace/config/modules/authentication-shibboleth.cfg

@@ -0,0 +1,71 @@
+#### Shibboleth Authentication Configuration Settings ####
+# Check https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/dspace15/view
+# for installation detail.
+#
+# DSpace requires email as user's credential. There are 2 ways of providing
+# email to DSpace:
+# 1) by explicitly specifying to the user which attribute (header)
+#    carries the email address.
+# 2) by turning on the user-email-using-tomcat=true which means
+#    the software will try to acquire the user's email from Tomcat
+# The first option takes PRECEDENCE when specified. Both options can
+# be enabled to allow fallback.
+
+# this option below specifies that the email comes from the mentioned header.
+# The value is CASE-Sensitive.
+email-header = MAIL
+
+# optional. Specify the header that carries user's first name
+# this is going to be used for creation of new-user
+firstname-header = SHIB-EP-GIVENNAME
+
+# optional. Specify the header that carries user's last name
+# this is used for creation of new user
+lastname-header = SHIB-EP-SURNAME
+
+# this option below forces the software to acquire the email from Tomcat.
+email-use-tomcat-remote-user = true
+
+# should we allow new users to be registered automtically
+# if the IdP provides sufficient info (and user not exists in DSpace)
+autoregister = true
+
+# these two header here specify which attribute that is responsible
+# for providing user's roles to DSpace and unscope the attributes if needed.
+# When not specified, it is defaulted to 'Shib-EP-UnscopedAffiliation', and
+# ignore-scope is defaulted to 'false'.
+# The value is specified in AAP.xml (Shib 1.3.x) or
+# attribute-filter.xml (Shib 2.x). The value is CASE-Sensitive.
+# The values provided in this header are separated by semi-colon or comma.
+# If your sp only provides scoped role header, you need to set
+# role-header.ignore-Scope as true.
+# for example if you only get Shib-EP-ScopedAffiliation instead of Shib-EP-ScopedAffiliation,
+# you have to  make your setting as:
+# role-header = Shib-EP-ScopedAffiliation
+# role-header.ignore-scope = true
+
+# role-header = Shib-EP-UnscopedAffiliation
+role-header.ignore-scope = false
+
+# when user is fully authN on IdP but would not like to release
+# his/her roles to DSpace (for privacy reason?), what should be
+# the default roles be given to such users?
+# The values are separated by semi-colon or comma
+# default-roles = Staff, Walk-ins
+
+# The following mappings specify role mapping between IdP and Dspace.
+# the left side of the entry is IdP's role (prefixed with
+# "role.") which will be mapped to
+# the right entry from DSpace. DSpace's group as indicated on the
+# right entry has to EXIST in DSpace, otherwise user will be identified
+# as 'anonymous'. Multiple values on the right entry should be separated
+# by comma. The values are CASE-Sensitive. Heuristic one-to-one mapping
+# will be done when the IdP groups entry are not listed below (i.e.
+# if "X" group in IdP is not specified here, then it will be mapped
+# to "X" group in DSpace if it exists, otherwise it will be mapped
+# to simply 'anonymous')
+#
+# Given sufficient demand, future release could support regex for the mapping
+# special characters need to be escaped by \
+role.Senior\ Researcher = Researcher, Staff
+role.Librarian = Administrator