Shibboleth login bypasses authSuccessHandler

Steps to reproduce

Steps to reproduce:
1. Set up Opencast with Shibboleth authentication
2. Call admin UI, get IdP login form
3. Log in with non-admin account

Actual Results:
Non-admin user is being routed back to admin UI, Jetty throws an HTTP 403 error due to lack of user privileges.

Expected Results:
Non-admin user should be rerouted to engage UI as per Spring Security setting in .../etc/security/<tenant_org>.xml :
<bean id="authSuccessHandler" class="">
<property name="securityService" ref="securityService" />
<property name="welcomePages">
<entry key="ROLE_ADMIN" value="/admin-ng/index.html" />
<entry key="ROLE_ADMIN_UI" value="/admin-ng/index.html" />
<entry key="*" value="/engage/ui/index.html" /> <!-- Any role not listed explicitly will redirect here -->

Workaround (if any):
Log in with non-admin account, ignore 403 error, manually call engage UI.

Alternative for reproduction/testing:
1. Set up Opencast with Shibboleth authentication
2. Edit ../etc/security/<tenant_org>.xml in bean "authSuccessHandler" to route "ROLE_ADMIN" to some (any) other site/page
3. Call admin UI, get IdP login form
4. Log in with admin account

Actual Results:
Admin user is being routed to admin UI.

Expected Results:
Admin user should be rerouted to address given in authSuccessHandler for his role.

Workaround (if any):
None in this case, as this is just to show that authSuccessHandler is ignored when using Shibboleth authentication.

This bug is partially linked to MH-12714, but is a separate issue at its core.

Credits to Sven Stauber for pointing out the alternative reproduction steps on the German Users mailing list.




Maxime Pedrotti


Incorrectly Functioning With Workaround