[Port to dtq-dev] Issue 1373: obtain special groups from user context when new token is generated (on token refresh) #1347
Conversation
… generated (on token refresh) (#1378) * Issue 1373: obtain special groups from user context when new token is generated (on token refresh) * resolve Copilot comments * resolve Copilot Comments: compute special groups only when when user is authenticated * Remove HttpSession dependency from ClarinShibAuthentication Use request-scoped attributes for shib.authenticated instead of HttpSession/JSESSIONID, aligning with upstream ShibAuthentication. Follow-up to #1373/#1378. * Guard against null special groups in Context.getSpecialGroups A special-group UUID may reference a Group that has since been deleted; GroupService.find returns null in that case. The list was built with an unconditional add, so it could contain null elements, which caused an NPE downstream (e.g. SpecialGroupClaimProvider.getValue maps group.getID() while generating the JWT sg claim on token refresh). Filter nulls once here so every caller is covered. Follow-up to #1373/#1378. --------- Co-authored-by: Ondrej Kosarko <kosarko@ufal.mff.cuni.cz> (cherry picked from commit 4c294b2)
📝 WalkthroughWalkthrough
ChangesShibboleth Authentication Scope Fix
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@dspace-api/src/main/java/org/dspace/authenticate/clarin/ClarinShibAuthentication.java`:
- Line 349: The special-group lookup in ClarinShibAuthentication.authenticate()
is still reading only servlet headers via new ShibHeaders(request), which breaks
verification-token flows where the data is stored in the shib.headers request
attribute. Update the group resolution call to use the same attribute-aware
header source as the rest of authenticate(), so the ShibGroup path can resolve
groups from either servlet headers or the request attribute after session
caching is removed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b2d62363-e88b-493e-8668-3ee31a20f575
📒 Files selected for processing (2)
dspace-api/src/main/java/org/dspace/authenticate/clarin/ClarinShibAuthentication.javadspace-api/src/main/java/org/dspace/core/Context.java
There was a problem hiding this comment.
Pull request overview
Ports upstream fix for Issue 1373 into dtq-dev, improving how Shibboleth-derived “special groups” are resolved during JWT generation/refresh and hardening special-group handling against deleted groups.
Changes:
- Filter out
nullentries fromContext#getSpecialGroups()when a stored special-group UUID no longer resolves to an existing Group. - Update
ClarinShibAuthenticationto use a request-scopedshib.authenticatedflag (instead of session-scoped) and to prefer special groups already present inContext(e.g., from JWT claims) during token refresh. - Replace legacy
Collections.EMPTY_LISTusage with type-safeCollections.emptyList()and tighten special-group lookup null-handling.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| dspace-api/src/main/java/org/dspace/core/Context.java | Skips missing/deleted Groups so callers never receive null entries in special-group lists. |
| dspace-api/src/main/java/org/dspace/authenticate/clarin/ClarinShibAuthentication.java | Ensures special groups can be sourced from Context on token refresh and avoids session-persisted Shibboleth auth flags. |
Port of ufal#1378 by @kuchtiak-ufal to
dtq-dev.Summary by CodeRabbit