Uploaded image for project: 'Opencast'
  1. MH-12754

Shibboleth login bypasses authSuccessHandler

    Details

    • Severity:
      Incorrectly Functioning With Workaround
    • Steps to reproduce:
      Hide
      Steps to reproduce:
      1. Set up Opencast with Shibboleth authentication
      2. Call admin UI, get IdP login form
      3. Log in with non-admin account
       
       Actual Results:
      Non-admin user is being routed back to admin UI, Jetty throws an HTTP 403 error due to lack of user privileges.
       
       Expected Results:
      Non-admin user should be rerouted to engage UI as per Spring Security setting in .../etc/security/<tenant_org>.xml :
      <bean id="authSuccessHandler" class="org.opencastproject.kernel.security.AuthenticationSuccessHandler">
          <property name="securityService" ref="securityService" />
          <property name="welcomePages">
            <map>
              <entry key="ROLE_ADMIN" value="/admin-ng/index.html" />
              <entry key="ROLE_ADMIN_UI" value="/admin-ng/index.html" />
              <entry key="*" value="/engage/ui/index.html" /> <!-- Any role not listed explicitly will redirect here -->
            </map>
          </property>
        </bean>
       
       Workaround (if any):
      Log in with non-admin account, ignore 403 error, manually call engage UI.

      ===
      Alternative for reproduction/testing:
      1. Set up Opencast with Shibboleth authentication
      2. Edit ../etc/security/<tenant_org>.xml in bean "authSuccessHandler" to route "ROLE_ADMIN" to some (any) other site/page
      3. Call admin UI, get IdP login form
      4. Log in with admin account

       Actual Results:
      Admin user is being routed to admin UI.

       Expected Results:
      Admin user should be rerouted to address given in authSuccessHandler for his role.

       Workaround (if any):
      None in this case, as this is just to show that authSuccessHandler is ignored when using Shibboleth authentication.

      ===
      This bug is partially linked to MH-12714, but is a separate issue at its core.

      Credits to Sven Stauber for pointing out the alternative reproduction steps on the German Users mailing list.
      Show
      Steps to reproduce: 1. Set up Opencast with Shibboleth authentication 2. Call admin UI, get IdP login form 3. Log in with non-admin account    Actual Results: Non-admin user is being routed back to admin UI, Jetty throws an HTTP 403 error due to lack of user privileges.    Expected Results: Non-admin user should be rerouted to engage UI as per Spring Security setting in .../etc/security/<tenant_org>.xml : <bean id="authSuccessHandler" class="org.opencastproject.kernel.security.AuthenticationSuccessHandler">     <property name="securityService" ref="securityService" />     <property name="welcomePages">       <map>         <entry key="ROLE_ADMIN" value="/admin-ng/index.html" />         <entry key="ROLE_ADMIN_UI" value="/admin-ng/index.html" />         <entry key="*" value="/engage/ui/index.html" /> <!-- Any role not listed explicitly will redirect here -->       </map>     </property>   </bean>    Workaround (if any): Log in with non-admin account, ignore 403 error, manually call engage UI. === Alternative for reproduction/testing: 1. Set up Opencast with Shibboleth authentication 2. Edit ../etc/security/<tenant_org>.xml in bean "authSuccessHandler" to route "ROLE_ADMIN" to some (any) other site/page 3. Call admin UI, get IdP login form 4. Log in with admin account  Actual Results: Admin user is being routed to admin UI.  Expected Results: Admin user should be rerouted to address given in authSuccessHandler for his role.  Workaround (if any): None in this case, as this is just to show that authSuccessHandler is ignored when using Shibboleth authentication. === This bug is partially linked to MH-12714 , but is a separate issue at its core. Credits to Sven Stauber for pointing out the alternative reproduction steps on the German Users mailing list.

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              maxime.pedrotti Maxime Pedrotti
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                TestRail: Cases