Special groups not working with Shibboleth authentication and IP Authentication

[samj55]

Describe the bug
This bug #8161 and #8160 still exist. Please double check.

DSpace version installed: DSpace 7.3-SNAPSHOT

To Reproduce
Steps to reproduce the behavior:

1. Create a new Community. Edit Authorizations and restrict read access to Shibboleth Special Group
2. Create a new collection. Edit Assign Roles and restrict BITSTREAM_DEFAULT_READ and DEFAULT_READ and finally add Shibboleth Special Group as a subgroup to both groups you just created.
3. For the same collection Edit Authorizations and restrict the read access to Shibboleth Special Group
4. Ingest/import a new item.
5. Login as Shibboleth user. You will see the Configured Shibboleth Special Group is listed in the user profile and the restricted item is visible but viewing the bitstream will develop the error you see in the log below. ( I think IP Authentication is also having the same issue ).

Expected behavior
You should've seen the item as a member of the permitted special group.

Related work
Link to any related tickets or PRs here.
#8161
#8160

DSpace Log:
java.io.IOException: org.dspace.authorize.AuthorizeException: Authorization denied for action READ on BITSTREAM:549dad0f-2438-41c0-ad1c-d1ebfc8ca982 by user 1ccce6d2-beaf-43cc-8b64-b9a15a30e62e
at org.dspace.app.rest.utils.BitstreamResource.getInputStream(BitstreamResource.java:102) ~[classes/:7.3-SNAPSHOT]
at org.springframework.http.converter.ResourceHttpMessageConverter.writeContent(ResourceHttpMessageConverter.java:137) ~[spring-web-5.3.18.jar:5.3.18]
at org.springframework.http.converter.ResourceHttpMessageConverter.writeInternal(ResourceHttpMessageConverter.java:129) ~[spring-web-5.3.18.jar:5.3.18]
at org.springframework.http.converter.ResourceHttpMessageConverter.writeInternal(ResourceHttpMessageConverter.java:45) ~[spring-web-5.3.18.jar:5.3.18]
at org.springframework.http.converter.AbstractHttpMessageConverter.write(AbstractHttpMessageConverter.java:227) ~[spring-web-5.3.18.jar:5.3.18]

[tdonohue]

Pulling this onto the 7.4 board. Just a note for eventual testers... we should verify that this is definitely a bug in Shibboleth. It's possible that the bug here is in the Bitstream download (as it sounds like the Item is visible but the Bitstream is not).

So, it is possible this is a new bug & not the same as #8161

[samj55]

Please note IP-Authentication is having the exact same issue. Adding the anonymous group as a sub group of BITSTREAM_DEFAULT_READ group for that collection had it working for Shibboleth and IP-Authentication too.

[tdonohue]

@samj55 : Just to verify, the issue is only with the Bitstream, correct? It sounds like when you access restrict the Item (using DEFAULT_READ) that access restriction works (and that bug was fixed in #8161). But, you noted that when using BITSTREAM_DEFAULT_READ to apply Bitstream-level permissions, then you discover the bug.

If it's correct that this issue is only with the Bitstream then that's a new bug. In #8161 / #8160 we fixed the issue with the Item-level permissions. But, in this ticket, it sounds like you are saying a similar type of issue is appearing at the Bitstream-level.

[samj55]

Yes it's correct Tim. Only the bitstream is affected by this problem. Adding the anonymous group as a subgroup solves the viewing issue for the Shibboleth and IP users but any anonymous user with the bitstream direct link can view that bitstream.

Example of the link:
https://xxx.example.org/bitstreams/2cdab9f8-b74e-48c3-b434-4bbc40277b9f/download

[LucaGiamminonni]

Hi @tdonohue @samj55 , I created a PR that should solve the problem: #8309. Can you verify it? Thanks

[samj55]

I confirm it fixed by #8309