EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07134
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Shibboleth and local login
- To: <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Date: Wed, 7 Feb 2018 15:10:52 +0100
What about: To avoid the loop, in auth.pl I've changed this: my $url = URI->new( $session->get_repository->get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no shibboleth, so the server keep redirecting over and over to: my $url = "https://<mysite>/shibboleth/login"; because of (from perl_lib/EPrints/Apache/Auth.pm):if( $repository->current_url ne $repository->current_url( path => "cgi", "users/login" ) )
{EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login first" ); EPrints::Apache::AnApache::header_out( $r, "Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r ); return DONE; }This create a loop in authentication because it doesn'nt check for /shibboleth/login but just for /cgi/users/login.
Il 07/02/2018 14:48, Yuri ha scritto:
Il 07/02/2018 11:04, David R Newman ha scritto:Hi Yuri, Actually you will find if you click on the the Login link it actually takes you to /cgi/users/home, when you have configured Shibboleth, this will redirect to /shibboleth/login rather than /cgi/users/login. If you create a link directly to /cgi/users/login this will allow you to still use local login.No, I tried but it sends me to Shibboleth auth. This is because /cgi/users/login is sent to https and thus to shibboleth because / in https is protected by shibboleth. Just protecting /shibboleth in https does not work. You can login but you get no user from apache. I think it has to do with remote_user be passed only when you've a protected location, so if you're on /cgi you don't get the user while if you're on /shibboleth yes. Can you share your https/eprints config? I'm using Debian stretch and Eprints 3.3.16 installed from tar.gzI go direct to /cgi/users/login all the time for repositories I support where I am not part of the institution itself. The only downside of having a direct login link is you may not be logged into the page you clicked the local login link on. However, I think you can probably do something clever with you template to write the current path into the href for html of this link. On a side issue, I am the most recent person to significantly update the Shibboleth page on wiki.eprints.org. I am aware of a couple of errors. One is will the /shibboleth/login code without user creation.The user is created using login-autocreateI have been meaning to get round to fixing this. Also, there is an issue with the /shibboleth/login code that does create user accounts because it does not render correctly and misses out a load of empty string definitions in the following line: my ($username, $given, $family, $email) = (undef, '', '', '');Yes, I've this but just cosmetic. Thanks for your help.I will endeavour to correct these issues today.Thanks!Regards David Newman On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:Hi! I'm following: https://wiki.eprints.org/w/Webserver_authentication I've found this in : if( $repository->current_url ne $repository->current_url( path => "cgi", "users/login" ) ) { EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login first" ); EPrints::Apache::AnApache::header_out( $r, "Location", $login_url ); EPrints::Apache::AnApache::send_http_header( $r ); return DONE; } this create a loop in authentication because it doesn'nt check for /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm My question is also how I can insert a link to a local authentication because if I follow a link to /cgi/users/login, I get redirected to shibboleth auth. Is it because of the lines above? To avoid the loop, in auth.pl I've changed this: my $url = URI->new( $session->get_repository->get_conf( "base_url" ) . "/shibboleth/login" ); <- base_url is http, no shibboleth, so the server keep redirecting over and over to: my $url = "https://<mysite>/shibboleth/login"; So, I think the guide is incomplete or there's something not clear to me... Il 14/12/2017 09:11, Yuri ha scritto:Ok, so I've just to add a link to /shibboleth/login in /cgi/users/login for people which want to login using shibboleth, isn't it? For redirects it is not a problem, but I think /cgi/users/login already save the loginparams so send you to the wanted page. Il 13/12/2017 11:25, David R Newman ha scritto:Hi Yuri, The actual login page is http://HOSTNAME/cgi/users/login you could include this link for people who want to login using local login. However, must the links that require you to login will still always redirect to shibboleth, so you will have to instruct you local uses that they must click on the local login to ensure they are logged in before trying to use any of the logged in user functionality, You might want to do something clever with the login link to ensure the user gets returned to the same page they were on before they realised they need to login. I am not sure how to do this off the top of my head. Regards David Newman On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:Hi! reading and implementing this guide: https://wiki.eprints.org/w/Shibboleth every login is handled by Shibboleth. Is there a way to let the user choose betsween local and Shibboleth login? *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep rints- tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints- tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/
- Follow-Ups:
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- References:
- [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- [EP-tech] Shibboleth and local login
- Prev by Date: Re: [EP-tech] Shibboleth and local login
- Next by Date: Re: [EP-tech] Shibboleth and local login
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):