Hello. We have been attempting to get shibboleth auth working in Webwork 2.19 with webwork being in a container and apache proxying in front of it. We can successfully authenticate but mojolicious complains of several errors when using instructor tools in a class. It appears to me that mojolicious is not able to obtain the session token (but could be wrong). Has anyone been able to fully implement Shibboleth in 2.18 or 2.19? Example error below:
Can't use an undefined value as a HASH reference at /usr/share/perl5/Mojolicious/Plugin/DefaultHelpers.pm line 341.
Context:
336:
337: my $stash = $c->stash;
338: return $stash->{'mojo.validation'} if $stash->{'mojo.validation'};
339:
340: my $req = $c->req;
341: my $token = $c->session->{csrf_token};
342: my $header = $req->headers->header('X-CSRF-Token');
343: my $hash = $req->params->to_hash;
344: $hash->{csrf_token} //= $header if $token && $header;
345: $hash->{$_} = $req->every_upload($_) for map { $_->name } @{$req->uploads};
346: my $v = $c->app->validator->validation->input($hash);
Traceback (most recent call first):
File "/usr/share/perl5/Mojolicious/Plugin/DefaultHelpers.pm", line 341, in "Mojo::Template::__ANON__"
File "/usr/share/perl5/Mojolicious/Renderer.pm", line 76, in "Mojolicious::Plugin::DefaultHelpers::_validation"
File "/usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm", line 209, in "Mojolicious::Renderer::Helpers::4c8555916a72cae881d03583e7c6d0bc::validation"
File "/usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm", line 124, in "Mojolicious::Plugin::TagHelpers::_validation"
Hello. I ran into the same problem with our 2.19 test system. I followed the installation guide as well as other approaches and tried different proxy settings.
Our reverse proxy (apache) is running on a separate server as it also provides other services.
In the meantime I have no more ideas what I could be doing wrong here.
I would also appreciate information about a working WeBWorK 2.19 installation with Shibboleth.
We will need more information to be able to help you. What is not working? Is there any error output that you can share?
Note that if you are proxying WeBWorK in any way, then the proxy must forward certain information, or things won't work. Look at the webwork2/conf/webwork2.apache2.4.dist.conf file. Note that the host is preserved and the prototype is set. At the very least the proxy must do those things.
####################################################
WeBWorK error
An error occurred while processing your request.
For help, please send mail to this site's webmaster xxx, including all of the following information as well as what what you were doing when the error occurred.
Error record identifier
5a51cc8d-fce2-520f-a77a-9f116d9cf56e::8b987333-6f3d-11ef-82b8-ed25fb9c3f9b
Error messages
Can't use an undefined value as a HASH reference at /usr/share/perl5/Mojolicious/Plugin/DefaultHelpers.pm line 341.
Context
336:
337: my $stash = $c->stash;
338: return $stash->{'mojo.validation'} if $stash->{'mojo.validation'};
339:
340: my $req = $c->req;
341: my $token = $c->session->{csrf_token};
342: my $header = $req->headers->header('X-CSRF-Token');
343: my $hash = $req->params->to_hash;
344: $hash->{csrf_token} //= $header if $token && $header;
345: $hash->{$_} = $req->every_upload($_) for map { $_->name } @{$req->uploads};
346: my $v = $c->app->validator->validation->input($hash);
Call stack
in Mojo::Template::__ANON__ called at line 341 of /usr/share/perl5/Mojolicious/Plugin/DefaultHelpers.pm
in Mojolicious::Plugin::DefaultHelpers::_validation called at line 76 of /usr/share/perl5/Mojolicious/Renderer.pm
in Mojolicious::Renderer::Helpers::df0b9b7b7653fffae31aa9c83dcae0c3::validation called at line 209 of /usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm
in Mojolicious::Plugin::TagHelpers::_validation called at line 124 of /usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm
in Mojolicious::Plugin::TagHelpers::_label_for called at line 48 of /usr/share/perl5/Mojolicious/Plugin/EPRenderer.pm
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::label_for called at line 10 of template ContentGenerator/Instructor/SetMaker/top_row.html.ep
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::__ANON__ called at line 160 of /usr/share/perl5/Mojo/Template.pm
in (eval) called at line 160 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::process called at line 163 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::render called at line 173 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::render_file called at line 40 of /usr/share/perl5/Mojolicious/Plugin/EPLRenderer.pm
in Mojolicious::Plugin::EPLRenderer::_render called at line 39 of /usr/share/perl5/Mojolicious/Plugin/EPRenderer.pm
in Mojolicious::Plugin::EPRenderer::__ANON__ called at line 229 of /usr/share/perl5/Mojolicious/Renderer.pm
in Mojolicious::Renderer::_render_template called at line 108 of /usr/share/perl5/Mojolicious/Renderer.pm
in Mojolicious::Renderer::render called at line 149 of /usr/share/perl5/Mojolicious/Controller.pm
in Mojolicious::Controller::render called at line 163 of /usr/share/perl5/Mojolicious/Controller.pm
in Mojolicious::Controller::render_to_string called at line 42 of /usr/share/perl5/Mojolicious/Plugin/DefaultHelpers.pm
in Mojolicious::Plugin::DefaultHelpers::__ANON__ called at line 48 of /usr/share/perl5/Mojolicious/Plugin/EPRenderer.pm
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::include called at line 37 of template ContentGenerator/Instructor/SetMaker.html.ep
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::__ANON__ called at line 289 of /usr/share/perl5/Mojo/DOM/HTML.pm
in Mojo::DOM::HTML::_tag called at line 176 of /usr/share/perl5/Mojo/DOM/HTML.pm
in Mojo::DOM::HTML::tag_to_html called at line 188 of /usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm
in Mojolicious::Plugin::TagHelpers::_tag called at line 85 of /usr/share/perl5/Mojolicious/Plugin/TagHelpers.pm
in Mojolicious::Plugin::TagHelpers::_form_for called at line 48 of /usr/share/perl5/Mojolicious/Plugin/EPRenderer.pm
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::form_for called at line 90 of template ContentGenerator/Instructor/SetMaker.html.ep
in Mojo::Template::Sandbox::edda140506de79a8bed1cbc425c03843::__ANON__ called at line 160 of /usr/share/perl5/Mojo/Template.pm
in (eval) called at line 160 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::process called at line 163 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::render called at line 173 of /usr/share/perl5/Mojo/Template.pm
in Mojo::Template::render_file called at line 40 of /usr/share/perl5/Mojolicious/Plugin/EPLRenderer.pm
in Mojolicious::Plugin::EPLRenderer::_render called at line 39 of /usr/share/perl5/Mojolicious/Plugin/EPRenderer.pm
in Mojolicious::Plugin::EPRenderer::__ANON__ called at line 229 of /usr/share/perl5/Mojolicious/Renderer.pm
in Mojolicious::Renderer::_render_template called at line 108 of /usr/share/perl5/Mojolicious/Renderer.pm
in Mojolicious::Renderer::render called at line 149 of /usr/share/perl5/Mojolicious/Controller.pm
in Mojolicious::Controller::render called at line 451 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::content called at line 150 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in (eval) called at line 109 of /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator.pm
in WeBWorK::ContentGenerator::go called at line 193 of /usr/share/perl5/Mojolicious.pm
in Mojolicious::_action called at line 15 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::__ANON__ called at line 165 of /opt/webwork/webwork2/lib/Mojolicious/WeBWorK.pm
in (eval) called at line 145 of /opt/webwork/webwork2/lib/Mojolicious/WeBWorK.pm
in Mojolicious::WeBWorK::__ANON__ called at line 15 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::__ANON__ called at line 18 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::emit_chain called at line 88 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::_action called at line 161 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::_controller called at line 44 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::continue called at line 46 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::continue called at line 46 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::continue called at line 46 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::continue called at line 52 of /usr/share/perl5/Mojolicious/Routes.pm
in Mojolicious::Routes::dispatch called at line 127 of /usr/share/perl5/Mojolicious.pm
in Mojolicious::dispatch called at line 136 of /usr/share/perl5/Mojolicious.pm
in Mojolicious::__ANON__ called at line 15 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::__ANON__ called at line 203 of /usr/share/perl5/Mojolicious.pm
in (eval) called at line 203 of /usr/share/perl5/Mojolicious.pm
in Mojolicious::_exception called at line 15 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::__ANON__ called at line 18 of /usr/share/perl5/Mojolicious/Plugins.pm
in Mojolicious::Plugins::emit_chain called at line 141 of /usr/share/perl5/Mojolicious.pm
in Mojolicious::handler called at line 72 of /usr/share/perl5/Mojo/Server.pm
in Mojo::Server::__ANON__ called at line 15 of /usr/share/perl5/Mojo/EventEmitter.pm
in Mojo::EventEmitter::emit called at line 103 of /usr/share/perl5/Mojo/Server/Daemon.pm
in Mojo::Server::Daemon::__ANON__ called at line 15 of /usr/share/perl5/Mojo/EventEmitter.pm
in Mojo::EventEmitter::emit called at line 60 of /usr/share/perl5/Mojo/Transaction/HTTP.pm
in Mojo::Transaction::HTTP::server_read called at line 224 of /usr/share/perl5/Mojo/Server/Daemon.pm
in Mojo::Server::Daemon::_read called at line 202 of /usr/share/perl5/Mojo/Server/Daemon.pm
in Mojo::Server::Daemon::__ANON__ called at line 15 of /usr/share/perl5/Mojo/EventEmitter.pm
in Mojo::EventEmitter::emit called at line 109 of /usr/share/perl5/Mojo/IOLoop/Stream.pm
in Mojo::IOLoop::Stream::_read called at line 57 of /usr/share/perl5/Mojo/IOLoop/Stream.pm
in Mojo::IOLoop::Stream::__ANON__ called at line 141 of /usr/share/perl5/Mojo/Reactor/Poll.pm
in (eval) called at line 141 of /usr/share/perl5/Mojo/Reactor/Poll.pm
in Mojo::Reactor::Poll::_try called at line 54 of /usr/share/perl5/Mojo/Reactor/EV.pm
in Mojo::Reactor::EV::__ANON__ called at line 32 of /usr/share/perl5/Mojo/Reactor/EV.pm
in (eval) called at line 32 of /usr/share/perl5/Mojo/Reactor/EV.pm
in Mojo::Reactor::EV::start called at line 134 of /usr/share/perl5/Mojo/IOLoop.pm
in Mojo::IOLoop::start called at line 152 of /usr/share/perl5/Mojo/Server/Prefork.pm
in Mojo::Server::Prefork::_spawn called at line 93 of /usr/share/perl5/Mojo/Server/Prefork.pm
in Mojo::Server::Prefork::_manage called at line 78 of /usr/share/perl5/Mojo/Server/Prefork.pm
in Mojo::Server::Prefork::run called at line 74 of /usr/share/perl5/Mojo/Server/Hypnotoad.pm
in Mojo::Server::Hypnotoad::run called at line 14 of /usr/bin/hypnotoad
####################################################
If I set “$c->stash(disable_cookies => 0);” in the Shibboleth.pm I get further but after a few clicks I get the error message:
####################################################
WarningLibrary Browser
Warning: There may be something wrong with this question. Please inform your instructor including the warning messages below.
WeBWorK has encountered warnings while processing your request. If this occurred when viewing a problem, it was likely caused by an error or ambiguity in that problem. Otherwise, it may indicate a problem with the WeBWorK system itself. If you are a student, report these warnings to your professor to have them corrected. If you are a professor, please consult the warning output below for more information.
Warning messages
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
####################################################
And in case I have something wrong in the Apache config:
####################################################
Apache config<VirtualHost hostname.de:80>
ServerName hostname.de
Redirect permanent / https://hostname.de/
</VirtualHost>
<VirtualHost hostname.de:443>
ServerName hostname.de
SSLEngine on
SSLProxyEngine on
SSLCertificateFile crt.pem
SSLCertificateKeyFile key.pem
SSLCertificateChainFile chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
<Location / >
Require all granted
</Location>
##_Host1_##
<Location /host1>
ProxyPreserveHost on
ProxyPass http://192.168.1.20:8000/host1
ProxyPassReverse http://192.168.1.20:8000/host1
AuthType shibboleth
ShibRequestSetting requireSession On
ShibUseHeaders On
Require valid-user
</Location>
##_WeBWorK219_##
<Proxy /webwork2/*>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /webwork2 http://192.168.1.18:8080/webwork2 keepalive=On
ProxyPassReverse /webwork2 http://192.168.1.18:8080/webwork2
ProxyPass /webwork2/* http://192.168.1.18:8080/webwork2/ keepalive=On
ProxyPassReverse /webwork2/* http://192.168.1.18:8080/webwork2/
<Location /webwork2>
RequestHeader set X-Forwarded-Proto "https"
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
Require valid-user
</Location>
<Proxy /webwork2_files/*>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPass /webwork2_files http://192.168.1.18:8080/webwork2_file keepalive=On
<Proxy /pg_files/*>
Require all granted
</Proxy>
ProxyRequests Off
ProxyPass /pg_files http://192.168.1.18:8080/pg_files keepalive=On
<Proxy /webwork2_course_files/*>
Require all granted
</Proxy>
<Location /webwork2_course_files>
Require all granted
</Location>
ProxyRequests Off
ProxyPass /webwork2_course_files http://192.168.1.18:8080/webwork2_course_files keepalive=On
</VirtualHost>
####################################################
And if it helps, the mojo debug output for on Click (disable_cookies => 1):
####################################################
Debug [Tue Sep 10 11:45:29.945827 2024] (eval):
===> Begin WeBWorK::dispatch() <===
[Tue Sep 10 11:45:29.945974 2024] (eval): Hi, I'm the new dispatcher!
[Tue Sep 10 11:45:29.946024 2024] (eval): --------------------------------------------------------------------------------
[Tue Sep 10 11:45:29.946065 2024] (eval): Okay, I got some basic information:
[Tue Sep 10 11:45:29.946104 2024] (eval): The site location is /webwork2
[Tue Sep 10 11:45:29.946141 2024] (eval): The request method is GET
[Tue Sep 10 11:45:29.946241 2024] (eval): The URI is /webwork2/test/instructor
[Tue Sep 10 11:45:29.946294 2024] (eval): The argument string is effectiveUser=mail%40host.de
[Tue Sep 10 11:45:29.946334 2024] (eval): --------------------------------------------------------------------------------
[Tue Sep 10 11:45:29.946398 2024] (eval): The path is /test/instructor/
[Tue Sep 10 11:45:29.946450 2024] (eval): The current route is instructor_tools
[Tue Sep 10 11:45:29.946487 2024] (eval): Here is some information about this route:
[Tue Sep 10 11:45:29.946528 2024] (eval): The display module for this route is WeBWorK::ContentGenerator::Instructor::Index
[Tue Sep 10 11:45:29.946564 2024] (eval): This route has the following captures:
[Tue Sep 10 11:45:29.946601 2024] (eval): controller => Instructor::Index
[Tue Sep 10 11:45:29.946636 2024] (eval): action => go
[Tue Sep 10 11:45:29.946671 2024] (eval): courseID => test
[Tue Sep 10 11:45:29.946707 2024] (eval): --------------------------------------------------------------------------------
[Tue Sep 10 11:45:29.946743 2024] (eval): Now we want to look at the parameters we got.
[Tue Sep 10 11:45:29.946778 2024] (eval): The raw params:
[Tue Sep 10 11:45:29.946859 2024] (eval): effectiveUser => "mail@host.de"
[Tue Sep 10 11:45:29.946905 2024] (eval): --------------------------------------------------------------------------------
[Tue Sep 10 11:45:29.946949 2024] (eval): We need to get a course environment (with or without a courseID!)
[Tue Sep 10 11:45:29.950976 2024] (eval): Here's the course environment: WeBWorK::CourseEnvironment=HASH(0xyyyyyy74c6d0)
[Tue Sep 10 11:45:29.951331 2024] (eval): Using authentication module WeBWorK::Authen::Shibboleth: WeBWorK::Authen::Shibboleth=HASH(0xyyyyyy74b6e8)
[Tue Sep 10 11:45:29.951411 2024] (eval): We got a courseID from the route, now we can do some stuff:
[Tue Sep 10 11:45:29.951462 2024] (eval): ...we can create a database object...
[Tue Sep 10 11:45:29.957269 2024] (eval): (here's the DB handle: WeBWorK::DB=HASH(0xyyyyyy74b1a8))
[Tue Sep 10 11:45:29.957325 2024] WeBWorK::Authen::verify: BEGIN VERIFY
[Tue Sep 10 11:45:29.957359 2024] WeBWorK::Authen::do_verify: db ok
[Tue Sep 10 11:45:29.957391 2024] WeBWorK::Authen::Shibboleth::get_credentials: Shib is on!
[Tue Sep 10 11:45:29.957422 2024] WeBWorK::Authen::Shibboleth::get_credentials: Got shib header (mail) and user_id (mail@host.de)
[Tue Sep 10 11:45:29.957987 2024] WeBWorK::Authen::do_verify: credentials ok
[Tue Sep 10 11:45:29.958442 2024] WeBWorK::Authen::do_verify: check user ok
[Tue Sep 10 11:45:29.958774 2024] WeBWorK::Authen::verify_normal_user: sessionExists='1' keyMatches='' timestampValid='1'
[Tue Sep 10 11:45:29.959986 2024] WeBWorK::Authen::write_log_entry: Writing to login log: 'AUTH WWDB: password rejected, deferring to site_checkPassword user_id=mail@host.de login_type=normal credential_source=params host=yyyyyy port=55324 UA=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0'.
[Tue Sep 10 11:45:29.961162 2024] WeBWorK::Authen::write_log_entry: Writing to login log: 'LOGIN OK user_id=mail@host.de login_type=normal credential_source=params host=yyyyyy port=55324 UA=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0'.
[Tue Sep 10 11:45:29.961307 2024] WeBWorK::Authen::set_params: params user='mail@host.de' key='yyyyyykeyyyyyyy'
[Tue Sep 10 11:45:29.961346 2024] WeBWorK::Authen::verify: END VERIFY
[Tue Sep 10 11:45:29.961370 2024] WeBWorK::Authen::verify: result 1
[Tue Sep 10 11:45:29.961401 2024] (eval): Hi, mail@host.de, glad you made it.
[Tue Sep 10 11:45:29.961873 2024] (eval): Now we deal with the effective user:
[Tue Sep 10 11:45:29.961922 2024] (eval): userID=mail@host.de eUserID=mail@host.de
[Tue Sep 10 11:45:29.979687 2024] WeBWorK::Authen::store_session: Saving database session. The database session contains
{
"key" => "yyyyyykeyyyyyyy",
"session" => {},
"timestamp" => 1725961529,
"user_id" => "mail\@host.de"
}
####################################################
I hope this helps you further.
Seeing same error message, did anyone find any solution?
Hello,
I have tested it. The csrf_token error is gone.
But now I get others.
--> template ContentGenerator/Login.html.ep line 12
What I did to generate the attached logs:
Clicks: Frontpage --> Course "test1" --> Problem Editor --> Library Browser --> selected something from Subject: --> View Problems
On Site Errors:
Problem Editor
--> Rendering error: Authentication failed. Log in again to continue.
Library Browser
- selected something from Subject:
--> /webwork2/instructor_rpc
Authentication failed. Log in again to continue.
- View Problems
--> Warning: There may be something wrong with this question. Please inform your instructor including the warning messages below.
The course test1 uses an external authentication system (). Please return to that system to access this course.
WeBWorK Warnings
WeBWorK has encountered warnings while processing your request. If this occurred when viewing a problem, it was likely caused by an error or ambiguity in that problem. Otherwise, it may indicate a problem with the WeBWorK system itself. If you are a student, report these warnings to your professor to have them corrected. If you are a professor, please consult the warning output below for more information.
Warning messages
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
Request information
Time Tue Oct 22 09:22:49 2024
Method POST
URI /webwork2/test1/instructor/setmaker
Yeah, I expected that rpc calls would fail.
Looking at the Shibboleth code, I see that even prior to the recent authentication renovation, Shibboleth was rife with security vulnerabilities.
Unfortunately, unless someone has time to work closely with me on this Shibboleth is a lost cause. The attempts that have been made to fix Shibboleth have been done by individuals that really don't know how webwork2's authentication works. As such, they get some of the bare bones functionality working, but don't get the complete package working and leave security vulnerabilities open.
(1) In Accounts Manager, clicking save edit fails, with warning of:
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12.
(2) In Upgrade Courses, clicking Upgrade Courses fails, same error as above
The warnings "Use of uninitialized value in hash element at template ContentGenerator/Login.html.ep line 12." are actually inconsequential. You could set $LTI{v1p1}{LMS_name} in localOverrides.conf (and maybe another related variable) to eliminate those warnings. More consequential though is the fact that that code is even called when you are saving on the accounts manager page. That is showing a critical issue with the Shibboleth authentication module.
So I would be willing to have a zoom meeting to fix issues. By adding following to localoverrides, I was able to get the contentGenenerator error to go away, but the net result is that most things no politely say, the course XXX uses an external authentication system (Shibboleth). Please return to that system to access the course. That message is in the login file, so my assumption is that further modification is needed in that file for the section where externalauth is used to allow it to proceed and actually do the work.
$LTIVersion = 'v1p1';
$LTI{v1p1}{LMS_name} = 'Shibboleth';
We are currently on version 2.16 and would like to switch to the latest version, but are dependent on Shibboleth. We would therefore be very happy to see further support for Shibboleth.
Unfortunately, I have no real idea about the WeBWorK security mechanisms. And what effect changes have on security. But with the patch #2609 and the commenting out of line 75 to 90 in the Shibboleth.pm (for testing purposes only), WeBWorK runs without errors so far. Cosign does not use any apparently comparable code, which leads to this attempt.
Although your rational for commenting out those lines is not quite correct, those lines do need to be removed for WeBWorK 2.19. Note that the Cosign authentication module is even more out of date than the Shibboleth authentication module, and comparing to that module is not a valid justification. For WeBWorK 2.17 and before lines 87-90 will be needed, but not lines 75-77. My justification for this comes from a much deeper analysis that I can't divulge at this point (mostly due to security concerns, but also because my analysis is not quite complete at this point).
I have put in a pull request that fixes the Shibboleth issues. It is at https://github.com/openwebwork/webwork2/pull/2612. In order to fix it, I installed and configured a Shibboleth identity provider of my own. So the pull request is not the guess like the previous one, and I have tested it personally. I would appreciate it if those of you that use Shibboleth authentication could test it.
Perl is (v5.32.1)
Mojolicious is 9.38
Ahh, I forgot to remove "use strict" and "use warnings" from the module. The Mojo::Base parent module adds those in such a way that the warnings about signatures will not happen (for perl versions prior to 5.36 in which signatures are no longer experimental). Adding "use strict" and "use warnings" turns the signature warnings back on again. I have fixed that in the pull request.
I have not noticed any problems so far.
Thank you very much.