Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Updates on Grouper and WS.

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Updates on Grouper and WS.


Chronological Thread 
  • From: "Stephen M. Barrett" <>
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] Updates on Grouper and WS.
  • Date: Tue, 08 Jan 2008 13:38:02 -0500

Sanjay Vivek wrote:
Hi everyone,

This is a brief progress report on our work with Grouper and WS. We
currently have the following Web Service Calls:

1) getGroupMembers(String groupName) - returns all the members of a
group

2) getMemberGroups(String userID) - returns all groups a user is member
of

3) addUserToGroup(String userId, String groupName) - adds user to a
group

4) deleteUserFromGroup(String userId, String groupName) - deletes user
from a group

We have so far successfully tested the WS with both Java and PHP
clients. We are looking into further testing with .NET and Ruby.

We are currently working on Web Services authentication using Apache
Rampart. One of the things we're looking at is identifying the user once
he has logged in and using his credentials to figure out whether he is
authorised to add user to a group (as an example).
WS authentication was slightly easier with Axis1 because Axis1 could
easily be set up for HTTP authentication (since Axis is implemented as a
servlet in a web app). However, things are different with Axis2.
WS-Security is the preferred method of authentication for Axis2. Rampart
wraps the WSS4J functionality (the library that implements WS-Security),
and can be integrated into Axis with little effort.

Sanjay, while WS-Security provides transport protocol independence for authentication it may be troublesome for those who rely solely on HTTP authentication mechanisms. I'm thinking mostly of those who use authentication modules inside of web servers that front-end environments such as tomcat. Axis2 uses the Apache Commons httpClient package which supports Basic, Digest and NTLM authentication mechanisms and their use with the Axis2 package is documented on the Axis website. These mechanisms expose the authentication credentials to the web server during proxy pass through so that they may be inspected, interpreted and acted on prior to forwarding the request to the container (tomcat).

I'm concerned about this because I would suspect that it would be preferable to allow use of either WS-Security or HTTP transport authentication. I would think we would want to create some type of standard Grouper authN class or interface implementation which could be used by both transport layer (HTTP) authentication and WS-Security to represent the authenticated principal. By doing this the code inside of Grouper would be accessing the principal name in one fashion no matter what auth scheme is employed.


A detailed reference to authenticating Grouper WS with Rampart will be
posted soon. Cheers.

Regards
--------------
Sanjay Vivek
Web Analyst
Middleware Team
ISS
University of Newcastle Upon Tyne

begin:vcard
fn:Stephen Barrett
n:Barrett;Stephen
org:Cornell University;CIT/IS
adr;dom:;;120 Maple Ave;Ithaca;NY;14850
email;internet:
title:Tech Lead
tel;work:607.254.2917
tel;home:607.426.2759
note;quoted-printable:- Interpretation of content contained within this email is an opinion oft=
	he reader who acknowledges such through the action of viewing this messag=
	e.=0D=0A=
	
x-mozilla-html:FALSE
url:http://www.cornell.edu
version:2.1
end:vcard




Archive powered by MHonArc 2.6.16.

Top of Page