Versions Compared

Old Version 3

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 4

changes.mady.by.user Andrea Bollini (4Science)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: applied changes to the official demo after SameSite changes

...

In my local setup (Paulo Graça ), I'm using Apache/2.4.6 (CentOS) with Proxypass with this settings. This is also tested (Ben Bosman ) with Apache/2.4.41 (Amazon Linux 2) and (Andrea Bollini (4Science) ) in the offical demo with Apache 2 (Ubuntu 18.04LTS):

Code Block
<VirtualHost *:443>  
#(...)	
	<Proxy *>
		AddDefaultCharset Off
		Order deny,allow
		Allow from all
	</Proxy>

	# The Shibboleth handler shall process all HTTPS requests on this location...
    <Location /server/api/authn/shibboleth>
        Order deny,allow
        Allow from all
		AuthType shibboleth
        # this must be on
        ShibRequireSession On
		ShibUseHeaders On
		Require shibboleth
    </Location>
	# The Shibboleth handler shall process all HTTPS requests on this location...
    <Location /server/api/authn/login>
        Order deny,allow
        Allow from all
		AuthType shibboleth
		# this require to be off otherwise the available auth methods will be not visible
        ShibRequireSession Off
		ShibUseHeaders On
		Require shibboleth
    </Location>	

    #Adding SSL Proxy Engine On
    SSLProxyEngine on
	ProxyRequests off
    ProxyPreserveHost On

	# A specific configuration for shibboleth proxypass
	ProxyPass /Shibboleth.sso !

	# A specific proxypass configuration for DSpace server (both server and angular on the same machine)
	ProxyPass /server ajp://localhost:8009/server
	ProxyPassReverse /server ajp://localhost:8009/server

	# A specific proxypass configuration for Angular
	ProxyPass / http://localhost:3000/
	ProxyPassReverse / http://localhost:3000/
#(...)
</VirtualHost>

...

When using separate hostnames for REST and Angular, more configuration is required on the REST Apache to make sure you allow requests from the given hostname. The configuration below allows access from localhost:3000 4000 and dspace7-demo.atmire.com (tested by Ben Bosman)as used in the official DSpace 7 Demo where the REST API is hosted at a different domain dspace7.4science.it 

Code Block
titleApache config
SetEnvIf Origin "^http(s)?://(www\.)?(dspace7\-demo\.atmire\.com|localhost\:3000|127\.0\.0\.1\:3000)$" AccessControlAllowOrigin=$0
  Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
  Header set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin
  Header set Access-Control-Expose-Headers: "Authorization, expires, Location, Content-Disposition, WWW-Authenticate, Set-Cookie, X-Requested-With"
  Header merge Vary Origin

Also make sure you don't have a Proxy for http://localhost:3000/ if you're testing from http://localhost:3000/

...

A cookie associated with a cross-site resource at http://dspace7-rest.atmire.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


A custom context.xml is currently needed for tomcat to allow cookie to full work across domain, this is the current configuration on the official DSpace7 demo

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<Context>
 ...
     <CookieProcessor sameSiteCookies="none" />
 ...
</Context>

Finally, shibboleth seems to require to be configured to manage the SameSite=None property in its cookies to work properly with DSpace. Please note that this is not what the shibboleth community recommend but it is the result of our current investigation according to the dspace source code at the time of writing, see https://wiki.shibboleth.net/confluence/display/SP3/SameSite

Moreover, on the demo, as the shibboleth daemon version doesn't support the specific attribute sameSiteSession (see  https://wiki.shibboleth.net/confluence/display/SP3/Sessions)

we have applied a workaround settings cookieProps as follow


Code Block
titleshibboleth2.xml
...
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
		checkAddress="false" handlerSSL="false" cookieProps="; path=/; SameSite=None; Secure; HttpOnly">
...


Related resources

Content by Label
showLabelsfalse
max5
spacesDSPACE
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "shibboleth" and type = "page" and space = "DSPACE"
labelsshibboleth

...