Re: [uportal-user] HttpHeaderTester PAGS tester

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] HttpHeaderTester PAGS tester

Pascal Rigaux
Hi,

Two remarks:

- person-directory-impl 1.6.0 has the following fix:  
https://apereo.atlassian.net/browse/PERSONDIR-61
   person-directory-impl 1.6.0 is included since uportal 4.2.0 . So  
you should be able to simply use StringEqualsTester

- the "standard" for HTTP headers is comma separated values (RFC  
7230). semicolon separated values is a shibboleth-SP convention. So  
our HttpHeaderTester is still needed, it should have another name  
(ShibHeaderTester?)

cu

PS: we had a similar issue in our CMS plugin, it was using substring  
comparison :-(

'Andrew Petro' via uPortal Community <[hidden email]> a écrit :

> Hi,
>
> MyUW, based on uPortal 4.2.1, receives some group memberships via a
> muli-valued HTTP header "ismemberof". It flows from UW's localized Grouper
> ("Manifest"), through the Shibboleth IdP, through the Shibboleth SP, to
> MyUW.
>
> We're trying out a custom PAGS "Tester" class to more cleanly check whether
> that header indicates a user is in a given group.
>
> https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82
>
> Regular expressions are hard.
> StringContainsTester is tempting but doesn't get the check quite correct.
>
> The not-quite-correct-ness bit MyUW in production recently, which is the
> motivation for switching to a Tester that makes it easier to configure
> correctly.
>
> This new HttpHeaderTester is as easy to configure as StringContainsTester,
> but checks more carefully to avoid the StringContainsTester false positive
> case.
>
> Sharing the code in case anyone else finds it useful. It might even spare
> someone a production incident...
>
> -Andrew


--
Pascal Rigaux

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] HttpHeaderTester PAGS tester

Andrew Petro-3
Pascal,

Interesting, thanks for this.

-Andrew

On Wednesday, March 27, 2019 at 3:32:24 AM UTC-5, pascal.rigaux wrote:
Hi,

Two remarks:

- person-directory-impl 1.6.0 has the following fix:  
<a href="https://apereo.atlassian.net/browse/PERSONDIR-61" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FPERSONDIR-61\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF2a_WnKF1gbPS-BcKbw_Futg6HSA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FPERSONDIR-61\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF2a_WnKF1gbPS-BcKbw_Futg6HSA&#39;;return true;">https://apereo.atlassian.net/browse/PERSONDIR-61
   person-directory-impl 1.6.0 is included since uportal 4.2.0 . So  
you should be able to simply use StringEqualsTester

- the "standard" for HTTP headers is comma separated values (RFC  
7230). semicolon separated values is a shibboleth-SP convention. So  
our HttpHeaderTester is still needed, it should have another name  
(ShibHeaderTester?)

cu

PS: we had a similar issue in our CMS plugin, it was using substring  
comparison :-(

'Andrew Petro' via uPortal Community a écrit :

> Hi,
>
> MyUW, based on uPortal 4.2.1, receives some group memberships via a
> muli-valued HTTP header "ismemberof". It flows from UW's localized Grouper
> ("Manifest"), through the Shibboleth IdP, through the Shibboleth SP, to
> MyUW.
>
> We're trying out a custom PAGS "Tester" class to more cleanly check whether
> that header indicates a user is in a given group.
>
> <a href="https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fapetro%2Fcf1f3392ef12a3cc754f4c21d0447e82\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETZOuSM9QN6MCC7bP4oHqzw1lL0A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fapetro%2Fcf1f3392ef12a3cc754f4c21d0447e82\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNETZOuSM9QN6MCC7bP4oHqzw1lL0A&#39;;return true;">https://gist.github.com/apetro/cf1f3392ef12a3cc754f4c21d0447e82
>
> Regular expressions are hard.
> StringContainsTester is tempting but doesn't get the check quite correct.
>
> The not-quite-correct-ness bit MyUW in production recently, which is the
> motivation for switching to a Tester that makes it easier to configure
> correctly.
>
> This new HttpHeaderTester is as easy to configure as StringContainsTester,
> but checks more carefully to avoid the StringContainsTester false positive
> case.
>
> Sharing the code in case anyone else finds it useful. It might even spare
> someone a production incident...
>
> -Andrew


--
Pascal Rigaux

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.