Dspace 7 shibboleth (REST)

[atarix83]

This PR provide changes to make the shibboleth authentication work as discussed in DS-4396

A summary of what is done with this PR:

• add a new ShibbolethRestController
• add a new ShibbolethAuthenticationFilter
• add the possibility to check a JWT token saved in a http cookie sent from client

As discussed in the issue DS-4396 this implementation doesn't handle the Access-Control-Allow-Origin header in the response to avoid CORS problem.

To solve it, we use in the rest VH the following apache configuration :

# enable CORS headers for dspace7-demo.atmire.com and localhost
SetEnvIf Origin "^http(s)?://(www\.)?(dspace7\-demo\.atmire\.com|localhost|127\.0\.0\.1)$" AccessControlAllowOrigin=$0
  Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
  Header set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin
  Header set Access-Control-Expose-Headers: "Authorization, expires, Location, Content-Disposition, WWW-Authenticate, Set-Cookie, X-Requested-With"
  Header merge Vary Origin

this PR has been already merged in the dspace-cris 7 codebase so it is possible to see the behavior here: https://dspacecris7.4science.cloud/home

[paulo-graca]

As promised, I will try to summarize what we have done in order to have Logout within shibboleth and DSpace.
Basically, in terms of the Service Provider, we use the shibboleth's notify parameter to configure the IdP logout url:
https://wiki.shibboleth.net/confluence/display/SP3/Notify

<Notify Channel="front" Location="https://[MY-SERVER]/logout" />

When the logout event in DSpace is performed, then the Notify is triggered.
Some exchanges will occur between the SP and the IdP and an indication to IdP to clean the shibboleth authentication will also occur.

In our case we will have something like this: https://[MY-SERVER]/shibboleth.sso/Logout?notifying=1&index=1

To invoke the logout. We also clean local cookies too.

[benbosman]

@paulo-graca

You won't need to expose the Shibboleth header on entire REST as you specified above:

     ProxyPass /server ajp://localhost:8009/server
     ProxyPass /Shibboleth.sso !

    <Location /server>
        Order deny,allow
        Allow from all
        AuthType shibboleth
        ShibUseHeaders On
        Require shibboleth
    </Location>

If you want to limit what uses the Shibboleth headers, /server/api/authn/shibboleth and /server/api/authn/login should suffice

[benbosman]

Thanks @atarix83 for the changes

I've tested the REST part (without Angular), and it worked correctly

I've reviewed the last changes as well, and I had a few questions for this:

• If you'd be hosting on a different port number (not likely for PROD environments of course), I assume the getBaseUrl function won't work correctly. Can you:
  • add the port number in the getBaseUrl function
  • test the returned location is correct in AuthenticationRestControllerIT if authentication-shibboleth.lazysession.loginurl is modified to contain a port number
  • test the returned location is correct in AuthenticationRestControllerIT if authentication-shibboleth.lazysession.loginurl is modified to contain a full URL with hostname included)
• The getShibURL function doesn't verify the behavior if the URL is set to Shibboleth.sso/Login. Can you either adjust this in the getShibURL function or add some comments in authentication-shibboleth.cfg explaining the allowed formats

[atarix83]

@benbosman
I've done changes requested

[atarix83]

@benbosman Did you tested shibboleth authentication on a server after the upgrade to java 11 ? I've tried to install this PR but it doesn't work, indeed after been logged in with shibboleth on redirect to dspace I get a 403 forbidden. This is not related to this implementation because the same behaviour occurs also on the demo rest server.
Could you let me know if that works for you?

[paulo-graca]

Thank you @atarix83 for this important contribution! It's working as expected!
I Can see a
"WWW-Authenticate:
shibboleth realm="DSpace REST API",
,password realm="DSpace REST API"

[paulo-graca]

I've just created: https://jira.lyrasis.org/browse/DS-4464 to address the need of a Central Authentication Service Logout solution.

[benbosman]

@atarix83 how is the https://dspace7.4science.cloud currently configured to work with Shibboleth:

• Are you using Apache 2.2, 2.4?
• Are you using mod_http or mod_ajp to proxy to tomcat
• Which config are you using in shib.conf?

I noticed I used to be able to use Shibboleth with the previous codebase: that was based on Apache 2.2, mod_ajp
I now use a new server, containing a more recent version of Java, tomcat, Apache 2.4, mod_ajp, and I am encountering the same issue. It seems like there's a conflict with the setup

@paulo-graca which setup are you using the test the Shibboleth integration?

[benbosman]

This works for me, I've also updated https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration with my setup and the issue I encountered.

The only problem I still see is the warning I get in Chrome when using separate hostnames for REST and Angular:

A cookie associated with a cross-site resource at http://dspace7-rest.atmire.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

This can also be resolved in a follow-up PR

[atarix83]

@benbosman
We are using Apache 2.4, tomcat 9.0.31 and mod_jk to proxy to tomcat.
How did you solve it?

[benbosman]

@atarix83 I don't use mod_jk, but rather mod_ajp
What solved the problem for me was to remove the attribute attributePrefix="AJP_" in the ApplicationDefaults of shibboleth2.xml
AFAIK, after logging in with Shibboleth, your requests no longer are sent to Tomcat, and I did encounter that problem as well when that attribute was present.

If that doesn't work, can you share your config similar to what Paulo did on the wiki?

[tdonohue]

Looks good to me, and I see this is already at +2 from Paulo & Ben. Instructions for setup are drafted at https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration