Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Grouper design call, Wednesday, 14 May 2008, 1200EDT (1600Z)

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Grouper design call, Wednesday, 14 May 2008, 1200EDT (1600Z)


Chronological Thread 
  • From: Tom Barton <>
  • To: Chris Hyzer <>
  • Cc: caleb racey <>, Grouper Dev <>
  • Subject: Re: [grouper-dev] Grouper design call, Wednesday, 14 May 2008, 1200EDT (1600Z)
  • Date: Wed, 14 May 2008 12:11:23 -0500

The prerequisites page gives details on both. For apache prior to 2.2 you must use mod_jk, but setup of mod_proxy_ajp with apache 2.2+ is much easier (note the number of caveats and conditionals needed to tell the mod_jk setup story).

Tom

Chris Hyzer wrote:
Sorry to be nitpicky, but I think mod_jk is preferred over mod_proxy_ajp. I
run the UI and WS with mod_jk and it works great...

http://wiki.apache.org/tomcat/FAQ/Connectors#Q2

Chris

-----Original Message-----
From: Tom Barton
[mailto:]
Sent: Wednesday, May 14, 2008 11:58 AM
To: Chris Hyzer
Cc: caleb racey; Grouper Dev
Subject: Re: [grouper-dev] Grouper design call, Wednesday, 14 May 2008,
1200EDT (1600Z)

If I recall correctly, the "missing doc" would address what is
anticipated to be a common need, not necessarily to detail all of the
ways grouper-ws might be protected. I suppose, though, that the former
can be the start of a larger and evolving doc of the latter.

For comparison, cf.
<https://wiki.internet2.edu/confluence/display/GrouperWG/Prerequisites>
.

Tom

Chris Hyzer wrote:
I think the issue is that the web.xml ships with servlet container
simple auth in it, right Tom?
I modified the README.txt to tell people to take out that part in the
web.xml if they don't want it (maybe it should be a web.example.xml)...
Incidentally, we will use the kerberos authenticator at Penn, so Im ok
with commenting out the simple auth as a default... it's the easiest
for a quick start though probably.
Also, I found the same results as Sanjay, and the build script
reflects that. You can either build grouper-ws in non-rampart mode, or
rampart mode (and you should deploy twice to run both). If you wanted
container simple auth, and apache + mod_jk (or whatever connector to a
servlet container), you could do that in one deployment I believe...
same with Kerberos. But the rampart affects the Axis config files, and
you cant have multiple configs for multiple servlets in one webapp.
Regards,
Chris

-----Original Message-----
From: caleb racey
[mailto:]
Sent: Wednesday, May 14, 2008 10:59 AM
To: Grouper Dev
Subject: RE: [grouper-dev] Grouper design call, Wednesday, 14 May
2008, 1200EDT (1600Z)

. protecting grouper-ws with apache + mod_proxy_ajp
We have just published sanjay's report on his investigations of
various techniques for authenticating webservices linked to from
http://gfivo.ncl.ac.uk/resources.php


The 10 second summary is: There are theoretical techniques for
deploying a webservice once and using different auth routes
(multiple
policy, or multiple port), however the reality is that they are
poorly supported.
Deploying the same webservice app twice and deploying different auth
on top of each is much easier and works.


Cheers

Cal

--------------------
Caleb Racey
Team Leader
Middleware Team
ISS
Newcastle University
--------------------
begin:vcard
fn:Tom Barton
n:Barton;Tom
org:University of Chicago;Networking Services & Information Technology
adr;dom:1155 E. 60th St.;;Rm 309, 1155 Bldg;Chicago;IL;60637
email;internet:
title:Sr. Director - Integration
tel;work:+1 773 834 1700
version:2.1
end:vcard




Archive powered by MHonArc 2.6.16.

Top of Page