Inconsistent Shibboleth Assigned Roles

48 views
Skip to first unread message

TroyStearnes(UniSA)

unread,
Apr 10, 2013, 8:53:03 PM4/10/13
to redbo...@googlegroups.com
Hi,
 
Now that We have the Shibboleth login working, we have noticed that there are some inconsitencies in the functionality after being assinged the roles. We have set up a local user in ReDBox with the roles: librarian, guest and reviewer. This user was able to view/open records in the Investigation phase. However, assigning these roles through the Shibboleth Role Manager does not work in the same way. While we can view the list, we cannot access the records, but rather see "Sorry XXXXXXXX, but you don't have access to view this item." This is also affecting the ability to see the Metadata Review records, although we can veiw published records.
 
I have checked, and the roles are spelt correctly, although the order in the list is different.
The Shibboleth user has:
  • librarian
  • guest
  • reviewer             
While the local user has:
  • reviewer
  • librarian
  • guest
Does anyone know how to get this working correctly? I have tried assigning the user roles in different orders (same result), and also assigning multiple rows in a single block. Assinging in a single block either caused ReDBox to display an error, or assigned the role as "reviewer, librarian, guest".
 
Thank you
 
Troy

Marianne Brown

unread,
Apr 10, 2013, 9:13:57 PM4/10/13
to ReDBox User List
Hi Troy,

We have found that we need to add guest explicitly in the shibboleth config.  

"SimpleShibbolethRoleManager":{
    "reviewer":[
        [
            ["auEduPersonSharedToken", "is", "xxxxxxxx", "Joe Smith"]
        ],
        [
            ["auEduPersonSharedToken", "is", "yyyyyyyy", "Jane Green"]
        ]
    ],
    "admin":[
        [
            ["auEduPersonSharedToken", "is", "zzzzzzzzz", "John Jones"]
        ]
    ],
    "guest":[
        [
            ["Shib-Identity-Provider", "is", "https://idp.myuni.edu.au/idp/shibboleth", "My University"]
        ]
    ],
    "librarian":[
        [
            ["auEduPersonSharedToken", "is", "aaaaaaaaaa", "Janet White"]
        ]
    ]
}

When John Jones logs in and views his user data, in the roles section he will now see "guest" twice - but you get the behaviour you would normally expect of admins being able to see what guests see.

Inline image 1

--
Marianne Brown
marianne...@gmail.com
Mobile: 0403 889 478


--
-- Website: http://www.redboxresearchdata.com.au
 
You received this message because you are subscribed to the Google Groups ReDBox group. To post to this group, send email to redbo...@googlegroups.com. To unsubscribe from this group, send email to redbox-repo...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/redbox-repo?hl=en
---
You received this message because you are subscribed to the Google Groups "ReDBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redbox-repo...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

image.png
Message has been deleted

TroyStearnes(UniSA)

unread,
Apr 10, 2013, 10:09:22 PM4/10/13
to redbo...@googlegroups.com
Thanks Marianne,
unfortunately, we had already added guest via Shibboleth, so that's not it. We have removed the "guest" role from being automatically given when opening ReDBox. This means that it only shows up once. We have done this so that it enforces a login to use the system/view any data (currently accessing will display the header and a message to login, rather than the normal main content).
 
I have tried putting the automatic guest role back in, but it has the same issue.
Troy
Message has been deleted
Message has been deleted
Message has been deleted

Grant Jackson

unread,
Apr 10, 2013, 10:19:58 PM4/10/13
to redbo...@googlegroups.com
Hi Troy,

FYI, I usually get the message "you don't have access to view this item" when I forget to flick back to the "Everything" view in ReDBox.

Cheers, Grant

--

TroyStearnes(UniSA)

unread,
Apr 10, 2013, 10:31:53 PM4/10/13
to redbo...@googlegroups.com
Hi Grant,
 
Just double checked, and it was in the "Everything" view still.
 
Regards
 
Troy

TroyStearnes(UniSA)

unread,
Apr 11, 2013, 2:09:55 AM4/11/13
to redbo...@googlegroups.com
Am I right in assuming that the roles setup in Shibboleth should correspond to those in ReDBox? A local user with the reviewer role can view/open records in the Investigation phase. However, someone setup via Shibboleth cannot. It looks like the role isn't being correctly given.
Troy

Nigel Bajema

unread,
Apr 11, 2013, 2:39:59 AM4/11/13
to redbo...@googlegroups.com
Hi,

Have a look in the solr index at the object you are trying to view


where <OBJECT_ID> is replaced with the objects id (generally visible in the url when trying to look at it).
for example, in the url:


<OBJECT_ID> is 11c7f81fe9c2177963c048f3953237bf 

You are specifically looking for the security_filtersecurity_exception, and the owner fields.

For example one of our objects has:
<arr name="security_filter">
    <str>guest</str>
</arr>

(it would seem it does not have security_exception and owner set)

You then want to look at the home/logs/main.log file for the SolrSearcher queries that ReDBoX is running.

The following log snippets are for a user with the "librarian" role provided by shibboleth

Shbboleth log:
2013-04-11 16:22:23,664          TRACE  hibbolethRoleManager Entry Count: 0 Size: 1
2013-04-11 16:22:23,664          TRACE  Shibboleth           Role Manager: SimpleShibbolethRoleManager provided the roles: [librarian]
2013-04-11 16:22:23,664          DEBUG  Shibboleth           Role List: [librarian]

Viewing home:
==> home/logs/main.log <==
2013-04-11 16:21:31,566          DEBUG  SolrSearcher         URL:http://localhost:9000/solr/fascinator/select, POSTDATA:[name=q, value=*:*, name=facet, value=true, name=facet.field, value=workflow_step, name=wt, value=json, name=fq, value=item_type:"object", name=fq, value=-display_type:attachment, name=fq, value=, name=fq, value=(security_filter:("librarian" OR "guest")) OR (security_exception:"AAAAAAAAAAAAAAAA") OR (owner:"AAAAAAAAAAAAAAAA"), name=rows, value=0]

Viewing the Object (which gives access denied):
==> home/logs/main.log <==
2013-04-11 16:22:23,664          DEBUG  SolrSearcher         URL:http://localhost:9000/solr/fascinator/select, POSTDATA:[name=q, value=id:"7da2c958e91195d1ad29d63146bf26ad", name=wt, value=json, name=fq, value=item_type:"object", name=fq, value=-display_type:attachment, name=fq, value=owner:qTdNYp0PwBh83G44I05Rtb9HXdI OR security_filter:(librarian)]

The following log snippets are for a user with the "librarian" and the "guest" role provided by shibboleth

Shibboleth log:
2013-04-11 16:31:05,891 main     TRACE  hibbolethRoleManager Entry Count: 0 Size: 1
2013-04-11 16:31:05,891 main     TRACE  Shibboleth           Role Manager: SimpleShibbolethRoleManager provided the roles: [librarian, guest]
2013-04-11 16:31:05,892 main     DEBUG  Shibboleth           Role List: [librarian, guest]
 
 
Viewing home:
==> home/logs/main.log <==
2013-04-11 16:29:36,663 main     DEBUG  SolrSearcher         URL:http://localhost:9000/solr/fascinator/select, POSTDATA:[name=q, value=*:*, name=facet, value=true, name=facet.field, value=workflow_step, name=wt, value=json, name=fq, value=item_type:"object", name=fq, value=-display_type:attachment, name=fq, value=, name=fq, value=(security_filter:("librarian" OR "guest" OR "guest")) OR (security_exception:"AAAAAAAAAAAAAAAA") OR (owner:"AAAAAAAAAAAAAAAA"), name=rows, value=0]

Viewing the Object (which gives access granted):
==> home/logs/main.log <==
2013-04-11 16:32:46,484 main     DEBUG  SolrSearcher         URL:http://localhost:9000/solr/fascinator/select, POSTDATA:[name=q, value=id:"7da2c958e91195d1ad29d63146bf26ad", name=wt, value=json, name=fq, value=item_type:"object", name=fq, value=-display_type:attachment, name=fq, value=owner:qTdNYp0PwBh83G44I05Rtb9HXdI OR security_filter:(librarian OR guest)]
 
You need to get the queries to match you security_filer or owner values.

Viewing these log files is how I debug these kinds of issues.

Hope that helps.

Nigel.

TroyStearnes(UniSA)

unread,
Apr 11, 2013, 2:52:14 AM4/11/13
to redbo...@googlegroups.com
Thanks for the response Nigel,
 
We've just came accross that. The with the roles reviewer, librarian and guest given to the user, the page in question also had "reviewer, librarian, guest" as required roles. Looking at the main.log, there is an error causing a mismatch (it assumes the role is guest and says the user has no access, as shown on the last line of the log). Looking at when the user logs in, the user is seen to have all the correct roles (as per first line of the log). However, when the user goes to view a detail, the error occurs and allows only records with the guest role can be seen.
 
Regards
 
Troy
main.log.txt

Nigel Bajema

unread,
Apr 15, 2013, 8:48:32 PM4/15/13
to redbo...@googlegroups.com
Hi Troy,

I have never seen that error.

What version of RedBoX are you running?
Because it would seem that you are using fascinator-1.1.1 (only because that is the most recent tag that calls authManager.getUser(username) at line 322) see:
https://github.com/the-fascinator/the-fascinator/blob/the-fascinator-1.1.1/portal/src/main/java/com/googlecode/fascinator/portal/services/impl/PortalSecurityManagerImpl.java#L322

We are running ReDBoX 1.5.2.2 which uses  fascinator-1.1.2.

When you are logged in with Shibboleth and you click on the username, what does you Shibboleth user have in the Origin field?
Because from the stack trace:

2013-04-11 16:01:03,548          ERROR  Indexer              Failed to get user access, assuming guest access
com.googlecode.fascinator.api.authentication.AuthenticationException: User 'l_FzacFVz-V8xtH2ZT1XYf4nhdU' not found.
at com.googlecode.fascinator.AuthenticationManager.getUser(AuthenticationManager.java:389) ~[fascinator-core-1.1.1.jar:na]
at $AuthManager_13df7b148bc.getUser($AuthManager_13df7b148bc.java) ~[tapestry-ioc-5.1.0.5.jar:na]
at com.googlecode.fascinator.portal.services.impl.PortalSecurityManagerImpl.getUser(PortalSecurityManagerImpl.java:322) ~[fascinator-portal-1.1.1.warpath.jar:na]

it would appear that that since it is getting to line 322 that the if statement on line 291:

        // SSO Users
        if (sso.containsKey(source)) {
            GenericUser user = (GenericUser) sso.get(source).getUserObject(session);
            // Sanity check our data
            if (user == null || !user.getUsername().equals(username)) {
                throw new AuthenticationException(
                        "Unknown user '" + username + "'");
            }
            return user;
        }
Is evaluating sso.containsKey(source) to false and so tries to get the user from the internal Auth provider, which off course doesn't exists.

Nigel

TroyStearnes(UniSA)

unread,
Apr 15, 2013, 8:56:37 PM4/15/13
to redbo...@googlegroups.com

On Tuesday, April 16, 2013 10:18:32 AM UTC+9:30, Nigel Bajema wrote:
Hi Troy,

I have never seen that error.

What version of RedBoX are you running?
We are currently running 1.5.1.
Because it would seem that you are using fascinator-1.1.1 (only because that is the most recent tag that calls authManager.getUser(username) at line 322) see:
https://github.com/the-fascinator/the-fascinator/blob/the-fascinator-1.1.1/portal/src/main/java/com/googlecode/fascinator/portal/services/impl/PortalSecurityManagerImpl.java#L322

We are running ReDBoX 1.5.2.2 which uses  fascinator-1.1.2.

When you are logged in with Shibboleth and you click on the username, what does you Shibboleth user have in the Origin field?
The Origin field displays "Shibboleth"

Nigel Bajema

unread,
Apr 16, 2013, 3:15:55 AM4/16/13
to redbo...@googlegroups.com
Hi Troy,

It may be a version issue, I will try with redbox 1.5.1

Nigel

TroyStearnes(UniSA)

unread,
Apr 16, 2013, 3:17:00 AM4/16/13
to redbo...@googlegroups.com
Hi Nigel,
 
Thanks for your help with this - with this information, we updated to version 1.6, which uses fascinator-1.1.3. This seems to have resolved those issues with Shibboleth.
 
Thanks again
 
Troy

Nigel Bajema

unread,
Apr 16, 2013, 3:20:10 AM4/16/13
to redbo...@googlegroups.com
Hi Troy,

That is good to hear.

Nigel.

Duncan Dickinson

unread,
Apr 16, 2013, 6:36:32 PM4/16/13
to ReDBox User List
Hi Troy and Nigel,

Just a quick note to thank you for working this through via the list - it's really helpful and I appreciate the time you've taken.

Cheers,

Duncan
Cheers,


Duncan


Duncan Dickinson
QCIF Project Manager 
Central Queensland University

Contact me:
monday to thursday
ph: 07 3138 2084
m: 0432 402 511
skype: de.dickinson

website | calendar | LinkedIn
Reply all
Reply to author
Forward
0 new messages