Shibboleth special groups don't populate when IP authentication also used in 7.6.1 #9226
Labels
authentication: general
general authentication issues or new features
authentication: Shibboleth
Related to authentication via Shibboleth
bug
help wanted
Needs a volunteer to claim to move forward
high priority
Describe the bug
When using IP-based groups assignment along with Shibboleth groups assignment, the Shibboleth groups do not get applied. This seems to be related to the if condition introduced in PR #9130 for
dspace-api/src/main/java/org/dspace/authenticate/AuthenticationServiceImpl.java
.Logs show the
getSpecialGroups
method ofdspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
only returning the cached special groups, and when investigated the cached special groups are only the ones from IP authentication. It never reaches the "Starting to determine special groups" log line to apply the Shibboleth-configured groups.I don't know the code or authentication flows super well, but my best guess is that when
dspace-api/src/main/java/org/dspace/authenticate/AuthenticationServiceImpl.java
does the check to make sure the login type aligns with the context, it causes the Shibboleth groups to be applied later in the order, after the IP authentication groups have already been added to the context. Then indspace-api/src/main/java/org/dspace/authenticate/ShibAuthentication.java
the check on line 296 can only check if there's anything in the specialGroups in the context object, but doesn't know what authentication plugin put the special groups there to know if the Shibboleth plugin has already applied groups. It sees the groups from IP authentication and just returns the cached groups.If I turn off the IPAuthentication plugin, the Shibboleth groups get applied as expected. I am unsure if the same applies to password or other forms of Authentication in relation to IP Authentication.
We have not experienced this issue with 7.6 or earlier 7.x versions of DSpace.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Groups from both IP Authentication and Shibboleth authentication would be added to the user.
Related work
Seems to be related to:
Issue #9127
PR #9130
The text was updated successfully, but these errors were encountered: