Shibboleth login bypasses authSuccessHandler

Steps to reproduce

Steps to reproduce:
1. Set up Opencast with Shibboleth authentication
2. Call admin UI, get IdP login form
3. Log in with non-admin account

Actual Results:
Non-admin user is being routed back to admin UI, Jetty throws an HTTP 403 error due to lack of user privileges.

Expected Results:
Non-admin user should be rerouted to engage UI as per Spring Security setting in .../etc/security/<tenant_org>.xml :
<bean id="authSuccessHandler" class="org.opencastproject.kernel.security.AuthenticationSuccessHandler">
<property name="securityService" ref="securityService" />
<property name="welcomePages">
<map>
<entry key="ROLE_ADMIN" value="/admin-ng/index.html" />
<entry key="ROLE_ADMIN_UI" value="/admin-ng/index.html" />
<entry key="*" value="/engage/ui/index.html" /> <!-- Any role not listed explicitly will redirect here -->
</map>
</property>
</bean>

Workaround (if any):
Log in with non-admin account, ignore 403 error, manually call engage UI.

===
Alternative for reproduction/testing:
1. Set up Opencast with Shibboleth authentication
2. Edit ../etc/security/<tenant_org>.xml in bean "authSuccessHandler" to route "ROLE_ADMIN" to some (any) other site/page
3. Call admin UI, get IdP login form
4. Log in with admin account

Actual Results:
Admin user is being routed to admin UI.

Expected Results:
Admin user should be rerouted to address given in authSuccessHandler for his role.

Workaround (if any):
None in this case, as this is just to show that authSuccessHandler is ignored when using Shibboleth authentication.

===
This bug is partially linked to MH-12714, but is a separate issue at its core.

Credits to Sven Stauber for pointing out the alternative reproduction steps on the German Users mailing list.

Status

Assignee

Unassigned

Reporter

Maxime Pedrotti

Severity

Incorrectly Functioning With Workaround

Tags (folksonomy)

None

Affects versions

4.1

Priority

Major
Configure