Page History
...
In my local setup (Paulo Graça ), I'm using Apache/2.4.6 (CentOS) with Proxypass with this settings. This is also tested (Ben Bosman ) with Apache/2.4.41 (Amazon Linux 2) and (Andrea Bollini (4Science) ) in the offical demo with Apache 2 (Ubuntu 18.04LTS):
Code Block |
---|
<VirtualHost *:443> #(...) <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> # The Shibboleth handler shall process all HTTPS requests on this location... <Location /server/api/authn/shibboleth> Order deny,allow Allow from all AuthType shibboleth # this must be on ShibRequireSession On ShibUseHeaders On Require shibboleth </Location> # The Shibboleth handler shall process all HTTPS requests on this location... <Location /server/api/authn/login> Order deny,allow Allow from all AuthType shibboleth # this require to be off otherwise the available auth methods will be not visible ShibRequireSession Off ShibUseHeaders On Require shibboleth </Location> #Adding SSL Proxy Engine On SSLProxyEngine on ProxyRequests off ProxyPreserveHost On # A specific configuration for shibboleth proxypass ProxyPass /Shibboleth.sso ! # A specific proxypass configuration for DSpace server (both server and angular on the same machine) ProxyPass /server ajp://localhost:8009/server ProxyPassReverse /server ajp://localhost:8009/server # A specific proxypass configuration for Angular ProxyPass / http://localhost:3000/ ProxyPassReverse / http://localhost:3000/ #(...) </VirtualHost> |
...
When using separate hostnames for REST and Angular, more configuration is required on the REST Apache to make sure you allow requests from the given hostname. The configuration below allows access from localhost:3000 4000 and dspace7-demo.atmire.com (tested by Ben Bosman)as used in the official DSpace 7 Demo where the REST API is hosted at a different domain dspace7.4science.it
Code Block | ||
---|---|---|
| ||
SetEnvIf Origin "^http(s)?://(www\.)?(dspace7\-demo\.atmire\.com|localhost\:3000|127\.0\.0\.1\:3000)$" AccessControlAllowOrigin=$0 Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin Header set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin Header set Access-Control-Expose-Headers: "Authorization, expires, Location, Content-Disposition, WWW-Authenticate, Set-Cookie, X-Requested-With" Header merge Vary Origin |
Also make sure you don't have a Proxy for http://localhost:3000/ if you're testing from http://localhost:3000/
...
A cookie associated with a cross-site resource at http://dspace7-rest.atmire.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A custom context.xml is currently needed for tomcat to allow cookie to full work across domain, this is the current configuration on the official DSpace7 demo
Code Block | ||
---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8"?>
<Context>
...
<CookieProcessor sameSiteCookies="none" />
...
</Context> |
Finally, shibboleth seems to require to be configured to manage the SameSite=None property in its cookies to work properly with DSpace. Please note that this is not what the shibboleth community recommend but it is the result of our current investigation according to the dspace source code at the time of writing, see https://wiki.shibboleth.net/confluence/display/SP3/SameSite
Moreover, on the demo, as the shibboleth daemon version doesn't support the specific attribute sameSiteSession (see https://wiki.shibboleth.net/confluence/display/SP3/Sessions)
we have applied a workaround settings cookieProps as follow
Code Block | ||
---|---|---|
| ||
... <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="; path=/; SameSite=None; Secure; HttpOnly"> ... |
Related resources
Content by Label | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...