mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-18 07:23:08 +00:00
Merge pull request #1271 from Georgetown-University-Libraries/ds-3032
[DS-3032] Integrate config service properties into ShibAuthentication
This commit is contained in:
Tim Donohue
@@ -21,7 +21,6 @@ import org.apache.commons.collections.ListUtils;
|
|||||||
import org.apache.commons.lang.StringUtils;
|
import org.apache.commons.lang.StringUtils;
|
||||||
import org.apache.log4j.Logger;
|
import org.apache.log4j.Logger;
|
||||||
import org.dspace.authenticate.factory.AuthenticateServiceFactory;
|
import org.dspace.authenticate.factory.AuthenticateServiceFactory;
|
||||||
import org.dspace.authenticate.service.AuthenticationService;
|
|
||||||
import org.dspace.authorize.AuthorizeException;
|
import org.dspace.authorize.AuthorizeException;
|
||||||
|
|
||||||
import org.dspace.content.MetadataField;
|
import org.dspace.content.MetadataField;
|
||||||
@@ -31,12 +30,13 @@ import org.dspace.content.factory.ContentServiceFactory;
|
|||||||
import org.dspace.content.service.MetadataFieldService;
|
import org.dspace.content.service.MetadataFieldService;
|
||||||
import org.dspace.content.service.MetadataSchemaService;
|
import org.dspace.content.service.MetadataSchemaService;
|
||||||
import org.dspace.core.Context;
|
import org.dspace.core.Context;
|
||||||
import org.dspace.core.ConfigurationManager;
|
|
||||||
import org.dspace.eperson.EPerson;
|
import org.dspace.eperson.EPerson;
|
||||||
import org.dspace.eperson.Group;
|
import org.dspace.eperson.Group;
|
||||||
import org.dspace.eperson.factory.EPersonServiceFactory;
|
import org.dspace.eperson.factory.EPersonServiceFactory;
|
||||||
import org.dspace.eperson.service.EPersonService;
|
import org.dspace.eperson.service.EPersonService;
|
||||||
import org.dspace.eperson.service.GroupService;
|
import org.dspace.eperson.service.GroupService;
|
||||||
|
import org.dspace.services.ConfigurationService;
|
||||||
|
import org.dspace.services.factory.DSpaceServicesFactory;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Shibboleth authentication for DSpace
|
* Shibboleth authentication for DSpace
|
||||||
@@ -77,11 +77,11 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
/** Maximum length for eperson additional metadata fields **/
|
/** Maximum length for eperson additional metadata fields **/
|
||||||
protected final int METADATA_MAX_SIZE = 1024;
|
protected final int METADATA_MAX_SIZE = 1024;
|
||||||
|
|
||||||
protected AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
|
|
||||||
protected EPersonService ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
|
protected EPersonService ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
|
||||||
protected GroupService groupService = EPersonServiceFactory.getInstance().getGroupService();
|
protected GroupService groupService = EPersonServiceFactory.getInstance().getGroupService();
|
||||||
protected MetadataFieldService metadataFieldService = ContentServiceFactory.getInstance().getMetadataFieldService();
|
protected MetadataFieldService metadataFieldService = ContentServiceFactory.getInstance().getMetadataFieldService();
|
||||||
protected MetadataSchemaService metadataSchemaService = ContentServiceFactory.getInstance().getMetadataSchemaService();
|
protected MetadataSchemaService metadataSchemaService = ContentServiceFactory.getInstance().getMetadataSchemaService();
|
||||||
|
protected ConfigurationService configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -170,7 +170,7 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
// sword. This allows this compatibility without installing the password-based
|
// sword. This allows this compatibility without installing the password-based
|
||||||
// authentication method which has side effects such as allowing users to login
|
// authentication method which has side effects such as allowing users to login
|
||||||
// with a username and password from the webui.
|
// with a username and password from the webui.
|
||||||
boolean swordCompatibility = ConfigurationManager.getBooleanProperty("authentication-shibboleth","sword.compatibility", true);
|
boolean swordCompatibility = configurationService.getBooleanProperty("authentication-shibboleth.sword.compatibility", true);
|
||||||
if ( swordCompatibility &&
|
if ( swordCompatibility &&
|
||||||
username != null && username.length() > 0 &&
|
username != null && username.length() > 0 &&
|
||||||
password != null && password.length() > 0 ) {
|
password != null && password.length() > 0 ) {
|
||||||
@@ -206,7 +206,7 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Should we auto register new users.
|
// Should we auto register new users.
|
||||||
boolean autoRegister = ConfigurationManager.getBooleanProperty("authentication-shibboleth","autoregister", true);
|
boolean autoRegister = configurationService.getBooleanProperty("authentication-shibboleth.autoregister", true);
|
||||||
|
|
||||||
// Four steps to authenticate a user
|
// Four steps to authenticate a user
|
||||||
try {
|
try {
|
||||||
@@ -226,7 +226,7 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
// Step 4: Log the user in.
|
// Step 4: Log the user in.
|
||||||
context.setCurrentUser(eperson);
|
context.setCurrentUser(eperson);
|
||||||
request.getSession().setAttribute("shib.authenticated", true);
|
request.getSession().setAttribute("shib.authenticated", true);
|
||||||
authenticationService.initEPerson(context, request, eperson);
|
AuthenticateServiceFactory.getInstance().getAuthenticationService().initEPerson(context, request, eperson);
|
||||||
|
|
||||||
log.info(eperson.getEmail()+" has been authenticated via shibboleth.");
|
log.info(eperson.getEmail()+" has been authenticated via shibboleth.");
|
||||||
return AuthenticationMethod.SUCCESS;
|
return AuthenticationMethod.SUCCESS;
|
||||||
@@ -303,10 +303,10 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
}
|
}
|
||||||
|
|
||||||
log.debug("Starting to determine special groups");
|
log.debug("Starting to determine special groups");
|
||||||
String defaultRoles = ConfigurationManager.getProperty("authentication-shibboleth","default-roles");
|
String[] defaultRoles = configurationService.getArrayProperty("authentication-shibboleth.default-roles");
|
||||||
String roleHeader = ConfigurationManager.getProperty("authentication-shibboleth","role-header");
|
String roleHeader = configurationService.getProperty("authentication-shibboleth.role-header");
|
||||||
boolean ignoreScope = ConfigurationManager.getBooleanProperty("authentication-shibboleth","role-header.ignore-scope", true);
|
boolean ignoreScope = configurationService.getBooleanProperty("authentication-shibboleth.role-header.ignore-scope", true);
|
||||||
boolean ignoreValue = ConfigurationManager.getBooleanProperty("authentication-shibboleth","role-header.ignore-value", false);
|
boolean ignoreValue = configurationService.getBooleanProperty("authentication-shibboleth.role-header.ignore-value", false);
|
||||||
|
|
||||||
if (ignoreScope && ignoreValue) {
|
if (ignoreScope && ignoreValue) {
|
||||||
throw new IllegalStateException("Both config parameters for ignoring an roll attributes scope and value are turned on, this is not a permissable configuration. (Note: ignore-scope defaults to true) The configuration parameters are: 'authentication.shib.role-header.ignore-scope' and 'authentication.shib.role-header.ignore-value'");
|
throw new IllegalStateException("Both config parameters for ignoring an roll attributes scope and value are turned on, this is not a permissable configuration. (Note: ignore-scope defaults to true) The configuration parameters are: 'authentication.shib.role-header.ignore-scope' and 'authentication.shib.role-header.ignore-value'");
|
||||||
@@ -316,8 +316,8 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
List<String> affiliations = findMultipleAttributes(request, roleHeader);
|
List<String> affiliations = findMultipleAttributes(request, roleHeader);
|
||||||
if (affiliations == null) {
|
if (affiliations == null) {
|
||||||
if (defaultRoles != null)
|
if (defaultRoles != null)
|
||||||
affiliations = Arrays.asList(defaultRoles.split(","));
|
affiliations = Arrays.asList(defaultRoles);
|
||||||
log.debug("Failed to find Shibboleth role header, '"+roleHeader+"', falling back to the default roles: '"+defaultRoles+"'");
|
log.debug("Failed to find Shibboleth role header, '"+roleHeader+"', falling back to the default roles: '"+ StringUtils.join(defaultRoles, ",") + "'");
|
||||||
} else {
|
} else {
|
||||||
log.debug("Found Shibboleth role header: '"+roleHeader+"' = '"+affiliations+"'");
|
log.debug("Found Shibboleth role header: '"+roleHeader+"' = '"+affiliations+"'");
|
||||||
}
|
}
|
||||||
@@ -342,29 +342,28 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Get the group names
|
// Get the group names
|
||||||
String groupNames = ConfigurationManager.getProperty("authentication-shibboleth","role." + affiliation);
|
String[] groupNames = configurationService.getArrayProperty("authentication-shibboleth.role." + affiliation);
|
||||||
if (groupNames == null || groupNames.trim().length() == 0) {
|
if (groupNames == null || groupNames.length == 0) {
|
||||||
groupNames = ConfigurationManager.getProperty("authentication-shibboleth","role." + affiliation.toLowerCase());
|
groupNames = configurationService.getArrayProperty("authentication-shibboleth.role." + affiliation.toLowerCase());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (groupNames == null) {
|
if (groupNames == null) {
|
||||||
log.debug("Unable to find role mapping for the value, '"+affiliation+"', there should be a mapping in config/modules/authentication-shibboleth.cfg: role."+affiliation+" = <some group name>");
|
log.debug("Unable to find role mapping for the value, '"+affiliation+"', there should be a mapping in config/modules/authentication-shibboleth.cfg: role."+affiliation+" = <some group name>");
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
log.debug("Mapping role affiliation to DSpace group: '"+groupNames+"'");
|
log.debug("Mapping role affiliation to DSpace group: '"+ StringUtils.join(groupNames, ",") +"'");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add each group to the list.
|
// Add each group to the list.
|
||||||
String[] names = groupNames.split(",");
|
for (int i = 0; i < groupNames.length; i++) {
|
||||||
for (int i = 0; i < names.length; i++) {
|
|
||||||
try {
|
try {
|
||||||
Group group = groupService.findByName(context,names[i].trim());
|
Group group = groupService.findByName(context,groupNames[i].trim());
|
||||||
if (group != null)
|
if (group != null)
|
||||||
groups.add(group);
|
groups.add(group);
|
||||||
else
|
else
|
||||||
log.debug("Unable to find group: '"+names[i].trim()+"'");
|
log.debug("Unable to find group: '"+groupNames[i].trim()+"'");
|
||||||
} catch (SQLException sqle) {
|
} catch (SQLException sqle) {
|
||||||
log.error("Exception thrown while trying to lookup affiliation role for group name: '"+names[i].trim()+"'",sqle);
|
log.error("Exception thrown while trying to lookup affiliation role for group name: '"+groupNames[i].trim()+"'",sqle);
|
||||||
}
|
}
|
||||||
} // for each groupNames
|
} // for each groupNames
|
||||||
} // foreach affiliations
|
} // foreach affiliations
|
||||||
@@ -489,11 +488,11 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
// If this server is configured for lazy sessions then use this to
|
// If this server is configured for lazy sessions then use this to
|
||||||
// login, otherwise default to the protected shibboleth url.
|
// login, otherwise default to the protected shibboleth url.
|
||||||
|
|
||||||
boolean lazySession = ConfigurationManager.getBooleanProperty("authentication-shibboleth","lazysession", false);
|
boolean lazySession = configurationService.getBooleanProperty("authentication-shibboleth.lazysession", false);
|
||||||
|
|
||||||
if ( lazySession ) {
|
if ( lazySession ) {
|
||||||
String shibURL = ConfigurationManager.getProperty("authentication-shibboleth","lazysession.loginurl");
|
String shibURL = configurationService.getProperty("authentication-shibboleth.lazysession.loginurl");
|
||||||
boolean forceHTTPS = ConfigurationManager.getBooleanProperty("authentication-shibboleth","lazysession.secure",true);
|
boolean forceHTTPS = configurationService.getBooleanProperty("authentication-shibboleth.lazysession.secure",true);
|
||||||
|
|
||||||
// Shibboleth authentication initiator
|
// Shibboleth authentication initiator
|
||||||
if (shibURL == null || shibURL.length() == 0)
|
if (shibURL == null || shibURL.length() == 0)
|
||||||
@@ -582,9 +581,9 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
*/
|
*/
|
||||||
protected EPerson findEPerson(Context context, HttpServletRequest request) throws SQLException, AuthorizeException {
|
protected EPerson findEPerson(Context context, HttpServletRequest request) throws SQLException, AuthorizeException {
|
||||||
|
|
||||||
boolean isUsingTomcatUser = ConfigurationManager.getBooleanProperty("authentication-shibboleth","email-use-tomcat-remote-user");
|
boolean isUsingTomcatUser = configurationService.getBooleanProperty("authentication-shibboleth.email-use-tomcat-remote-user");
|
||||||
String netidHeader = ConfigurationManager.getProperty("authentication-shibboleth","netid-header");
|
String netidHeader = configurationService.getProperty("authentication-shibboleth.netid-header");
|
||||||
String emailHeader = ConfigurationManager.getProperty("authentication-shibboleth","email-header");
|
String emailHeader = configurationService.getProperty("authentication-shibboleth.email-header");
|
||||||
|
|
||||||
EPerson eperson = null;
|
EPerson eperson = null;
|
||||||
boolean foundNetID = false;
|
boolean foundNetID = false;
|
||||||
@@ -681,10 +680,10 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
protected EPerson registerNewEPerson(Context context, HttpServletRequest request) throws SQLException, AuthorizeException {
|
protected EPerson registerNewEPerson(Context context, HttpServletRequest request) throws SQLException, AuthorizeException {
|
||||||
|
|
||||||
// Header names
|
// Header names
|
||||||
String netidHeader = ConfigurationManager.getProperty("authentication-shibboleth","netid-header");
|
String netidHeader = configurationService.getProperty("authentication-shibboleth.netid-header");
|
||||||
String emailHeader = ConfigurationManager.getProperty("authentication-shibboleth","email-header");
|
String emailHeader = configurationService.getProperty("authentication-shibboleth.email-header");
|
||||||
String fnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","firstname-header");
|
String fnameHeader = configurationService.getProperty("authentication-shibboleth.firstname-header");
|
||||||
String lnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","lastname-header");
|
String lnameHeader = configurationService.getProperty("authentication-shibboleth.lastname-header");
|
||||||
|
|
||||||
// Header values
|
// Header values
|
||||||
String netid = findSingleAttribute(request,netidHeader);
|
String netid = findSingleAttribute(request,netidHeader);
|
||||||
@@ -730,7 +729,7 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
eperson.setCanLogIn(true);
|
eperson.setCanLogIn(true);
|
||||||
|
|
||||||
// Commit the new eperson
|
// Commit the new eperson
|
||||||
authenticationService.initEPerson(context, request, eperson);
|
AuthenticateServiceFactory.getInstance().getAuthenticationService().initEPerson(context, request, eperson);
|
||||||
ePersonService.update(context, eperson);
|
ePersonService.update(context, eperson);
|
||||||
context.dispatchEvents();
|
context.dispatchEvents();
|
||||||
|
|
||||||
@@ -770,10 +769,10 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
protected void updateEPerson(Context context, HttpServletRequest request, EPerson eperson) throws SQLException, AuthorizeException {
|
protected void updateEPerson(Context context, HttpServletRequest request, EPerson eperson) throws SQLException, AuthorizeException {
|
||||||
|
|
||||||
// Header names & values
|
// Header names & values
|
||||||
String netidHeader = ConfigurationManager.getProperty("authentication-shibboleth","netid-header");
|
String netidHeader = configurationService.getProperty("authentication-shibboleth.netid-header");
|
||||||
String emailHeader = ConfigurationManager.getProperty("authentication-shibboleth","email-header");
|
String emailHeader = configurationService.getProperty("authentication-shibboleth.email-header");
|
||||||
String fnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","firstname-header");
|
String fnameHeader = configurationService.getProperty("authentication-shibboleth.firstname-header");
|
||||||
String lnameHeader = ConfigurationManager.getProperty("authentication-shibboleth","lastname-header");
|
String lnameHeader = configurationService.getProperty("authentication-shibboleth.lastname-header");
|
||||||
|
|
||||||
String netid = findSingleAttribute(request,netidHeader);
|
String netid = findSingleAttribute(request,netidHeader);
|
||||||
String email = findSingleAttribute(request,emailHeader);
|
String email = findSingleAttribute(request,emailHeader);
|
||||||
@@ -880,7 +879,7 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
|
|
||||||
else if (ePersonService.checkPassword(context, eperson, password)) {
|
else if (ePersonService.checkPassword(context, eperson, password)) {
|
||||||
// Password matched
|
// Password matched
|
||||||
authenticationService.initEPerson(context, request, eperson);
|
AuthenticateServiceFactory.getInstance().getAuthenticationService().initEPerson(context, request, eperson);
|
||||||
context.setCurrentUser(eperson);
|
context.setCurrentUser(eperson);
|
||||||
log.info(eperson.getEmail()+" has been authenticated via shibboleth using password-based sword compatibility mode.");
|
log.info(eperson.getEmail()+" has been authenticated via shibboleth using password-based sword compatibility mode.");
|
||||||
return SUCCESS;
|
return SUCCESS;
|
||||||
@@ -913,22 +912,21 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
|
|
||||||
HashMap<String, String> map = new HashMap<String,String>();
|
HashMap<String, String> map = new HashMap<String,String>();
|
||||||
|
|
||||||
String mappingString = ConfigurationManager.getProperty("authentication-shibboleth","eperson.metadata");
|
String[] mappingString = configurationService.getArrayProperty("authentication-shibboleth.eperson.metadata");
|
||||||
boolean autoCreate = ConfigurationManager.getBooleanProperty("authentication-shibboleth","eperson.metadata.autocreate", true);
|
boolean autoCreate = configurationService.getBooleanProperty("authentication-shibboleth.eperson.metadata.autocreate", true);
|
||||||
|
|
||||||
// Bail out if not set, returning an empty map.
|
// Bail out if not set, returning an empty map.
|
||||||
if (mappingString == null || mappingString.trim().length() == 0) {
|
if (mappingString == null || mappingString.length == 0) {
|
||||||
log.debug("No additional eperson metadata mapping found: authentication.shib.eperson.metadata");
|
log.debug("No additional eperson metadata mapping found: authentication.shib.eperson.metadata");
|
||||||
|
|
||||||
metadataHeaderMap = map;
|
metadataHeaderMap = map;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
log.debug("Loading additional eperson metadata from: 'authentication.shib.eperson.metadata' = '"+mappingString+"'");
|
log.debug("Loading additional eperson metadata from: 'authentication.shib.eperson.metadata' = '"+ StringUtils.join(mappingString, ",") +"'");
|
||||||
|
|
||||||
|
|
||||||
String[] metadataStringList = mappingString.split(",");
|
for (String metadataString : mappingString) {
|
||||||
for (String metadataString : metadataStringList) {
|
|
||||||
metadataString = metadataString.trim();
|
metadataString = metadataString.trim();
|
||||||
|
|
||||||
String[] metadataParts = metadataString.split("=>");
|
String[] metadataParts = metadataString.split("=>");
|
||||||
@@ -1053,9 +1051,8 @@ public class ShibAuthentication implements AuthenticationMethod
|
|||||||
value = request.getHeader(name.toUpperCase());
|
value = request.getHeader(name.toUpperCase());
|
||||||
|
|
||||||
boolean reconvertAttributes =
|
boolean reconvertAttributes =
|
||||||
ConfigurationManager.getBooleanProperty(
|
configurationService.getBooleanProperty(
|
||||||
"authentication-shibboleth",
|
"authentication-shibboleth.reconvert.attributes",
|
||||||
"reconvert.attributes",
|
|
||||||
false);
|
false);
|
||||||
|
|
||||||
if (!StringUtils.isEmpty(value) && reconvertAttributes)
|
if (!StringUtils.isEmpty(value) && reconvertAttributes)
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ authentication-shibboleth.lastname-header = SHIB-SURNAME
|
|||||||
# SHIB-cn => cn
|
# SHIB-cn => cn
|
||||||
|
|
||||||
# If the eperson metadata field is not found, should it be automatically created?
|
# If the eperson metadata field is not found, should it be automatically created?
|
||||||
authentication-shibboleth.eperson.metadata.autocreate = true;
|
authentication-shibboleth.eperson.metadata.autocreate = true
|
||||||
|
|
||||||
# Shibboleth attributes are by default UTF-8 encoded. Some servlet container
|
# Shibboleth attributes are by default UTF-8 encoded. Some servlet container
|
||||||
# automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8.
|
# automatically converts the attributes from ISO-8859-1 (latin-1) to UTF-8.
|
||||||
|
|||||||
Reference in New Issue
Block a user