[LON-CAPA-admin] Userless Role Selection

Stuart Raeburn raeburn at msu.edu
Thu Apr 23 10:00:58 EDT 2015 

Hi Lee,

On a LON-CAPA 2.11 server I would expect a line in the Apache access  
log file of the form:

IP address - - [Date/Time] "GET /adm/roles HTTP/1.1" 302

on a server configured to use Shibboleth Single Sign On (SSO).  I  
would not expect to see a username included as the third item in the  
log entry (in place of the - ) if the response code is 302 (Shibboleth  
SSO) or 301 (CAS SSO).

For a user who successfully authenticated via Shibboleth SSO (and who  
had an existing LON-CAPA account) I would then expect to see:

IP address - - [Date/Time] "GET /adm/sso HTTP/1.1" 200
IP address - username [Date/Time] "GET /adm/roles?source=login HTTP/1.1" 200

or if authentication failed via Shibboleth SSO I would then expect to see:

IP address - - [Date/Time] "GET /adm/sso HTTP/1.1" 302

If a user authenticates via Shibboleth SSO, but does not currently  
have a LON-CAPA account in the domain, what happens next is determined  
by your domain's configuration for: "Users self-creating accounts".

For a response code of 200 for /adm/roles I would expect to see a  
username logged in the web server log file on a 2.11 LON-CAPA server,  
unless you have modified the logging configuration for Apache  
configuration.  However, on a pre-2.11 LON-CAPA server I would not  
expect to see a username in the third item of any line in the web  
server log file unless this was for a user authenticating via SSO.


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting "Bynum, Lee Hamilton" <leebynum at illinois.edu>:

> Hi Stuart,
>
>> What was the Apache response code, i.e., what comes after 'HTTP/1.1" '
>> in the line you copied from your server's Apache access log file?
>
> Response code 302
>
> The full line of that example is:
>
> 172.17.193.190 - - [14/Apr/2015:19:35:24 -0500] "GET /adm/roles   
> HTTP/1.1" 302 4655 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X   
> 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2   
> Safari/600.2.5"
>
> The "-" seems to be an outlier as it is the first instance.  Most   
> are of the following forms:
>
> 172.17.193.190 - - [14/Apr/2015:19:37:23 -0500] "GET /adm/roles   
> HTTP/1.1" 302 804 "https://access2.lon-capa.uiuc.edu/adm/sso"   
> "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X)   
> AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B410   
> Safari/600.1.4"
> 172.17.193.190 - - [14/Apr/2015:19:37:23 -0500] "GET /adm/roles   
> HTTP/1.1" 302 772 "https://access2.lon-capa.uiuc.edu/adm/sso"   
> "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X)   
> AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B410   
> Safari/600.1.4"
> 172.17.193.190 - - [14/Apr/2015:19:37:23 -0500] "GET /adm/roles   
> HTTP/1.1" 302 981 "https://access2.lon-capa.uiuc.edu/adm/sso"   
> "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X)   
> AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B410   
> Safari/600.1.4"
>
> Lee
>
>> -----Original Message-----
>> From: lon-capa-admin-bounces at mail.lon-capa.org [mailto:lon-capa-admin-
>> bounces at mail.lon-capa.org] On Behalf Of Stuart Raeburn
>> Sent: Thursday, April 16, 2015 4:57 PM
>> To: lon-capa-admin at mail.lon-capa.org
>> Subject: Re: [LON-CAPA-admin] Userless Role Selection
>>
>> Hi Lee,
>>
>> > 172.17.193.190 - - [14/Apr/2015:19:35:24 -0500] "GET /adm/roles HTTP/1.1"
>>
>> What was the Apache response code, i.e., what comes after 'HTTP/1.1" '
>> in the line you copied from your server's Apache access log file?
>>
>> Stuart Raeburn
>> LON-CAPA Academic Consortium
>>
>>
>> Quoting "Bynum, Lee Hamilton" <leebynum at illinois.edu>:
>>
>> > Good Morning,
>> >
>> > Have people encountered userless role selection before?  That is,
>> > get requests on /adm/roles without a user name associated with it.
>> > It was my impression that /adm/roles/ was only accessed by users
>> > that are already logged in.
>> >
>> > 172.17.193.190 - - [14/Apr/2015:19:35:24 -0500] "GET /adm/roles HTTP/1.1"
>> >
>> > This message was generated without any related activity from the
>> > associated ip address.  It was generated a lot of times in a couple
>> > of minutes, so it could also be a part of our ghost request bug, but
>> >  I would love to eliminate the possibility of it being normal
>> > behavior first.
>> >
>> > Thanks,
>> >
>> > Lee
>>
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list