EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07134


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Shibboleth and local login


What about:

To avoid the loop, in auth.pl I've changed this:

     my $url = URI->new( $session->get_repository->get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no shibboleth, so the server keep redirecting over and over

   to:

      my $url = "https://<mysite>/shibboleth/login";

because of (from perl_lib/EPrints/Apache/Auth.pm):

                  if( $repository->current_url ne $repository->current_url( path => "cgi", "users/login" ) )
                  {
EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login first" );                           EPrints::Apache::AnApache::header_out( $r, "Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r );
                          return DONE;
                  }

This create a loop in authentication because it doesn'nt check for /shibboleth/login but just for /cgi/users/login.

Il 07/02/2018 14:48, Yuri ha scritto:
Il 07/02/2018 11:04, David R Newman ha scritto:
Hi Yuri,

Actually you will find if you click on the the Login link it actually
takes you to /cgi/users/home, when you have configured Shibboleth, this
will redirect to /shibboleth/login rather than /cgi/users/login.
    If you create a link directly to /cgi/users/login this will allow you to
still use local login.
No, I tried but it sends me to Shibboleth auth. This is because
/cgi/users/login is sent to https and thus to shibboleth because / in
https is protected by shibboleth. Just protecting /shibboleth in https
does not work. You can login but you get no user from apache. I think it
has to do with remote_user be passed only when you've a protected
location, so if you're on /cgi you don't get the user while if you're on
/shibboleth yes.

Can you share your https/eprints config? I'm using Debian stretch and
Eprints 3.3.16 installed from tar.gz

I go direct to /cgi/users/login all the time
for repositories I support where I am not part of the institution
itself.

The only downside of having a direct login link is you may not be
logged into the page you clicked the local login link on.  However, I
think you can probably do something clever with you template to write
the current path into the href for html of this link.
On a side issue, I am the most recent person to significantly update
the Shibboleth page on wiki.eprints.org.  I am aware of a couple of
errors.  One is will the /shibboleth/login code without user creation.
The user is created using login-autocreate

   I have been meaning to get round to fixing this.  Also, there is an
issue with the /shibboleth/login code that does create user accounts
because it does not render correctly and misses out a load of empty
string definitions in the following line:

my ($username, $given, $family, $email) = (undef, '', '', '');
Yes, I've this but just cosmetic. Thanks for your help.

I will endeavour to correct these issues today.
Thanks!

Regards

David Newman

On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
Hi!

I'm following: https://wiki.eprints.org/w/Webserver_authentication

    I've found this in :

                   if( $repository->current_url ne
$repository->current_url( path => "cgi", "users/login" ) )
                   {
EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login
first" );
                           EPrints::Apache::AnApache::header_out( $r,
"Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r );
                           return DONE;
                   }

this create a loop in authentication because it doesn'nt check for
/shibboleth/login! perl_lib/EPrints/Apache/Auth.pm

My question is also how I can insert a link to a local
authentication
because if I follow a link to /cgi/users/login, I get redirected to
shibboleth auth. Is it because of the lines above?

To avoid the loop, in auth.pl I've changed this:

      my $url = URI->new( $session->get_repository->get_conf(
"base_url" )
. "/shibboleth/login" ); <- base_url is http, no shibboleth, so the
server keep redirecting over and over

    to:

       my $url = "https://<mysite>/shibboleth/login";

So, I think the guide is incomplete or there's something not clear to
me...

Il 14/12/2017 09:11, Yuri ha scritto:
Ok, so I've just to add a link to /shibboleth/login in
/cgi/users/login for people which want to login using shibboleth,
isn't it?

For redirects it is not a problem, but I think /cgi/users/login
already save the loginparams so send you to the wanted page.


Il 13/12/2017 11:25, David R Newman ha scritto:
Hi Yuri,

The actual login page is http://HOSTNAME/cgi/users/login you
could
include this link for people who want to login using local login.
    However, must the links that require you to login will still
always
redirect to shibboleth, so you will have to instruct you local
uses
that they must click on the local login to ensure they are logged
in
before trying to use any of the logged in user functionality,

You might want to do something clever with the login link to
ensure the
user gets returned to the same page they were on before they
realised
they need to login.  I am not sure how to do this off the top of
my
head.

Regards

David Newman

On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
Hi!

     reading and implementing this guide:

https://wiki.eprints.org/w/Shibboleth

     every login is handled by Shibboleth. Is there a way to let
the
user
choose betsween local and Shibboleth login?


*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
rints-
tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/
*** Options:
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/