Grouper Developers Forum

["Stephen M. Barrett" <>]

Sanjay Vivek wrote:
> Hi everyone,
>
> This is a brief progress report on our work with Grouper and WS. We
> currently have the following Web Service Calls:
>
> 1) getGroupMembers(String groupName) - returns all the members of a
> group
>
> 2) getMemberGroups(String userID) - returns all groups a user is member
> of
>
> 3) addUserToGroup(String userId, String groupName) - adds user to a
> group
>
> 4) deleteUserFromGroup(String userId, String groupName) - deletes user
> from a group
>
> We have so far successfully tested the WS with both Java and PHP
> clients. We are looking into further testing with .NET and Ruby.
>
> We are currently working on Web Services authentication using Apache
> Rampart. One of the things we're looking at is identifying the user once
> he has logged in and using his credentials to figure out whether he is
> authorised to add user to a group (as an example). 
>
> WS authentication was slightly easier with Axis1 because Axis1 could
> easily be set up for HTTP authentication (since Axis is implemented as a
> servlet in a web app). However, things are different with Axis2.
> WS-Security is the preferred method of authentication for Axis2. Rampart
> wraps the WSS4J functionality (the library that implements WS-Security),
> and can be integrated into Axis with little effort. 
>   

Sanjay, while WS-Security provides transport protocol independence for 
authentication it may be troublesome for those who rely solely on HTTP 
authentication mechanisms.  I'm thinking mostly of those who use 
authentication modules inside of web servers that front-end environments 
such as tomcat.  Axis2 uses the Apache Commons httpClient package which 
supports Basic, Digest and NTLM authentication mechanisms and their use 
with the Axis2 package is documented on the Axis website.  These 
mechanisms expose the authentication credentials to the web server 
during proxy pass through so that they may be inspected, interpreted and 
acted on prior to forwarding the request to the container (tomcat).

I'm concerned about this because I would suspect that it would be 
preferable to allow use of either WS-Security or HTTP transport 
authentication.  I would think we would want to create some type of 
standard Grouper authN class or interface implementation which could be 
used by both transport layer (HTTP) authentication and WS-Security to 
represent the authenticated principal.  By doing this the code inside of 
Grouper would be accessing the principal name in one fashion no matter 
what auth scheme is employed.


> A detailed reference to authenticating Grouper WS with Rampart will be
> posted soon. Cheers.
>
> Regards
> --------------
> Sanjay Vivek
> Web Analyst
> Middleware Team
> ISS
> University of Newcastle Upon Tyne
>   

begin:vcard
fn:Stephen Barrett
n:Barrett;Stephen
org:Cornell University;CIT/IS
adr;dom:;;120 Maple Ave;Ithaca;NY;14850
email;internet:
title:Tech Lead
tel;work:607.254.2917
tel;home:607.426.2759
note;quoted-printable:- Interpretation of content contained within this email is an opinion oft=
	he reader who acknowledges such through the action of viewing this messag=
	e.=0D=0A=
	
x-mozilla-html:FALSE
url:http://www.cornell.edu
version:2.1
end:vcard