HttpHeaderTester PAGS tester
11 views
Skip to first unread message
Andrew Petro
Mar 26, 2019, 3:43:31 PM3/26/19
to uPortal Community
Hi,
MyUW, based on uPortal 4.2.1, receives some group memberships via a muli-valued HTTP header "ismemberof". It flows from UW's localized Grouper ("Manifest"), through the Shibboleth IdP, through the Shibboleth SP, to MyUW.
We're trying out a custom PAGS "Tester" class to more cleanly check whether that header indicates a user is in a given group.
Regular expressions are hard.
StringContainsTester is tempting but doesn't get the check quite correct.
The not-quite-correct-ness bit MyUW in production recently, which is the motivation for switching to a Tester that makes it easier to configure correctly.
This new HttpHeaderTester is as easy to configure as StringContainsTester, but checks more carefully to avoid the StringContainsTester false positive case.
Sharing the code in case anyone else finds it useful. It might even spare someone a production incident...
-Andrew
Pascal Rigaux
Mar 27, 2019, 4:32:24 AM3/27/19
to uporta...@apereo.org
Hi,
Two remarks:
- person-directory-impl 1.6.0 has the following fix:
https://apereo.atlassian.net/browse/PERSONDIR-61
person-directory-impl 1.6.0 is included since uportal 4.2.0 . So
you should be able to simply use StringEqualsTester
- the "standard" for HTTP headers is comma separated values (RFC
7230). semicolon separated values is a shibboleth-SP convention. So
our HttpHeaderTester is still needed, it should have another name
(ShibHeaderTester?)
cu
PS: we had a similar issue in our CMS plugin, it was using substring
comparison :-(
'Andrew Petro' via uPortal Community <uporta...@apereo.org> a écrit :
--
Pascal Rigaux
Two remarks:
- person-directory-impl 1.6.0 has the following fix:
https://apereo.atlassian.net/browse/PERSONDIR-61
person-directory-impl 1.6.0 is included since uportal 4.2.0 . So
you should be able to simply use StringEqualsTester
- the "standard" for HTTP headers is comma separated values (RFC
7230). semicolon separated values is a shibboleth-SP convention. So
our HttpHeaderTester is still needed, it should have another name
(ShibHeaderTester?)
cu
PS: we had a similar issue in our CMS plugin, it was using substring
comparison :-(
'Andrew Petro' via uPortal Community <uporta...@apereo.org> a écrit :
Pascal Rigaux
Andrew Petro
Mar 27, 2019, 7:45:49 AM3/27/19
to uPortal Community
Pascal,
Interesting, thanks for this.
-Andrew
On Wednesday, March 27, 2019 at 3:32:24 AM UTC-5, pascal.rigaux wrote:
Hi,
Two remarks:
- person-directory-impl 1.6.0 has the following fix:
https://apereo.atlassian.net/browse/PERSONDIR-61
person-directory-impl 1.6.0 is included since uportal 4.2.0 . So
you should be able to simply use StringEqualsTester
- the "standard" for HTTP headers is comma separated values (RFC
7230). semicolon separated values is a shibboleth-SP convention. So
our HttpHeaderTester is still needed, it should have another name
(ShibHeaderTester?)
cu
PS: we had a similar issue in our CMS plugin, it was using substring
comparison :-(
'Andrew Petro' via uPortal Community a écrit :
Andrew Petro
Mar 27, 2019, 12:27:35 PM3/27/19
to uPortal Community
Pascal,
You're quite right.
I
put together an enhanced uPortal 4.2 Snooper that displays user attributes, and it indeed shows that ismemberof is coming through as a
multi-valued user attribute. MyUW could have been using included StringEqualsTester and saved some trouble.
Thanks,
Andrew
Reply all
Reply to author
Forward
0 new messages