Skip to content

Commit

Permalink
Make the Shibboleth bypass_query parameter actually work.
Browse files Browse the repository at this point in the history
Currently the parameter works to sign in, but if you try to do anything
after signing in, then you are redirected to sign in to the Shibboleth
identity provider.  To prevent that the parameter needs to be considered
a persistent authentication parameter.
  • Loading branch information
drgrice1 committed Nov 13, 2024
1 parent 29b1db4 commit 89dd676
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions lib/WeBWorK/ContentGenerator.pm
Original file line number Diff line number Diff line change
Expand Up @@ -1070,6 +1070,10 @@ session_management_via is "key" then the "key" is added.
sub hidden_authen_fields ($c, $id_prefix = undef) {
my @fields = ('user', 'effectiveUser');
push(@fields, 'key') if $c->ce->{session_management_via} ne 'session_cookie';

# Make the Shibboleth bypass_query parameter persistent if it is configured.
push(@fields, $c->ce->{shibboleth}{bypass_query}) if $c->ce->{shibboleth}{bypass_query};

return $c->hidden_fields({ id_prefix => $id_prefix }, @fields) if defined $id_prefix;
return $c->hidden_fields(@fields);
}
Expand Down Expand Up @@ -1106,10 +1110,11 @@ sub url_authen_args ($c) {
# When cookie based session management is in use, there should be no need
# to reveal the user and key in the URL. Putting it there makes session
# hijacking easier, in particular should a student share such a URL.
# If the Shibboleth authentication module is in use, then make the bypass_query parameter persistent.
if ($ce->{session_management_via} eq 'session_cookie') {
return $c->url_args('effectiveUser');
return $c->url_args('effectiveUser', $c->ce->{shibboleth}{bypass_query} // ());
} else {
return $c->url_args('user', 'effectiveUser', 'key');
return $c->url_args('user', 'effectiveUser', 'key', $c->ce->{shibboleth}{bypass_query} // ());
}
}

Expand Down Expand Up @@ -1188,6 +1193,9 @@ sub systemLink ($c, $urlpath, %options) {
}

$params{effectiveUser} = undef unless exists $params{effectiveUser};

# Make the Shibboleth bypass_query parameter persistent if it is configured.
$params{ $c->ce->{shibboleth}{bypass_query} } = undef if $c->ce->{shibboleth}{bypass_query};
}

my $url = $options{use_abs_url} ? $urlpath->to_abs : $urlpath;
Expand Down

0 comments on commit 89dd676

Please sign in to comment.