Shibboleth configuration shows side effect on password authentication

[lmaylein]

Describe the bug
If you configure a default role in Shibboleth via authentication-shibboleth.default-roles, this also applies to password authentication and the user authenticated via self-registration and password login then also ends up in the group assigned to this default role.

To Reproduce
authentication-shibboleth.cfg:

authentication-shibboleth.role-header = affiliation
authentication-shibboleth.role-header.ignore-scope = true
authentication-shibboleth.role.other = group1
authentication-shibboleth.default-roles = other

authentication-password.cfg:
authentication-password.login.specialgroup = group2

authentication.cfg:

# Uncomment any of the below plugins to enable them (or copy to your local.cfg).
# You may also reorder them by simply changing their order within this file, or
# defining a new order in local.cfg.

# IP-based authentication/authorization. See authentication-ip.cfg for default configuration.
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.IPAuthentication

# LDAP authentication/authorization. See authentication-ldap.cfg for default configuration.
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication

# Shibboleth authentication/authorization. See authentication-shibboleth.cfg for default configuration.
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication

# X.509 certificate authentication. See authentication-x509.cfg for default configuration.
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.X509Authentication

# ORCID certificate authentication.
# plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OrcidAuthentication

# OIDC authentication. See authentication-oidc.cfg for default configuration.
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OidcAuthentication

# Authentication by Password (encrypted in DSpace's database). See authentication-password.cfg for default configuration.
# Enabled by default (to disable, either comment out, or define a new list of AuthenticationMethod plugins in your local.cfg)
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.PasswordAuthentication

A user who has created himself via self-registration and logs in with his password will subsequently end up in both groups: group1 and group2

Expected behavior
authentication-shibboleth.default-roles should only take effect if a login actually takes place via Shibboleth.

[lmaylein]

Addendum: Tested in version 7.6

[lmaylein]

@tdonohue
Thanks. One more question: I have two accounts in our DSpace 7.6 installation: one via local authentication and one via Shibboleth authentication. If I log in via Shibboleth and then (after logging out) log in via the local account, I end up with my Shibboleth-authenticated user, i.e. the SSO takes effect even though I have explicitly selected local authentication. Is this problem related to this?

[tdonohue]

@lmaylein : No, that's a different bug but it's already reported in #8475