From f46c2096cfd887f4ca98cdd69d84e18c6da874f3 Mon Sep 17 00:00:00 2001 From: Glenn Rice Date: Mon, 28 Oct 2024 19:50:55 -0500 Subject: [PATCH] Make the Shibboleth bypass_query parameter actually work. Currently the parameter works to sign in, but if you try to do anything after signing in, then you are redirected to sign in to the Shibboleth identity provider. To prevent that the parameter needs to be considered a persistent authentication parameter. --- lib/WeBWorK/ContentGenerator.pm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/WeBWorK/ContentGenerator.pm b/lib/WeBWorK/ContentGenerator.pm index 86789dbf9c..633990ddca 100644 --- a/lib/WeBWorK/ContentGenerator.pm +++ b/lib/WeBWorK/ContentGenerator.pm @@ -1070,6 +1070,10 @@ session_management_via is "key" then the "key" is added. sub hidden_authen_fields ($c, $id_prefix = undef) { my @fields = ('user', 'effectiveUser'); push(@fields, 'key') if $c->ce->{session_management_via} ne 'session_cookie'; + + # Make the Shibboleth bypass_query parameter persistent if it is configured. + push(@fields, $c->ce->{shibboleth}{bypass_query}) if $c->ce->{shibboleth}{bypass_query}; + return $c->hidden_fields({ id_prefix => $id_prefix }, @fields) if defined $id_prefix; return $c->hidden_fields(@fields); } @@ -1106,10 +1110,11 @@ sub url_authen_args ($c) { # When cookie based session management is in use, there should be no need # to reveal the user and key in the URL. Putting it there makes session # hijacking easier, in particular should a student share such a URL. + # If the Shibboleth authentication module is in use, then make the bypass_query parameter persistent. if ($ce->{session_management_via} eq 'session_cookie') { - return $c->url_args('effectiveUser'); + return $c->url_args('effectiveUser', $c->ce->{shibboleth}{bypass_query} // ()); } else { - return $c->url_args('user', 'effectiveUser', 'key'); + return $c->url_args('user', 'effectiveUser', 'key', $c->ce->{shibboleth}{bypass_query} // ()); } } @@ -1188,6 +1193,9 @@ sub systemLink ($c, $urlpath, %options) { } $params{effectiveUser} = undef unless exists $params{effectiveUser}; + + # Make the Shibboleth bypass_query parameter persistent if it is configured. + $params{ $c->ce->{shibboleth}{bypass_query} } = undef if $c->ce->{shibboleth}{bypass_query}; } my $url = $options{use_abs_url} ? $urlpath->to_abs : $urlpath;