Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] RE: Lite UI problems

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] RE: Lite UI problems

Chronological Thread 
  • From: Andrew Petro <>
  • To:
  • Cc: Gagné Sébastien <>
  • Subject: Re: [grouper-dev] RE: Lite UI problems
  • Date: Fri, 20 Jul 2012 11:38:41 -0400

CAS was mentioned, so i feel called upon to reply to this providing what insight I can, but alas I'm not speaking from direct experience with configuring good CAS authentication to Lite UI.  So, for whatever it's worth:

I'd try to think of this as much as possible as a session expiration problem rather than as a CAS problem.  CAS should really be an implementation detail of how one gets a logged in session with Grouper.  CAS wants to be an authenticated session broker, not an authenticated session manager.

So, first, more generally, how does the AJAX-loving Lite UI cope when one's session with the Grouper web application expires, such that it's trying to make AJAX requests into a session that no longer exists? Presumably those AJAX requests fail.  In some interesting way?  Ideally the Lite UI _javascript_ would be smart enough to detect that and show a message that says

"Yo! Your session timed out!  You're no longer logged in to Grouper! So, you need to log in to Grouper again.  Click Here to do that! Cool? Cool."

Simply redirecting the whole page to a path requiring login might be an okay second choice, but I'd argue users don't expect their UI to suddenly redirect, they'd more appreciate a message indicating that re-login is required and the opportunity to trigger this themselves, possibly first getting a good idea of what they were in the middle of so they can pick up as best they can after their session is fixed.

It might be the case that CAS enters into this in that a CAS client library in front of Grouper has been configured to intercept and redirect those AJAX requests for web service endpoints, such that in the case where the user's session expired, it's trying to redirect them to the CAS login screen so the user can log in.  That might be an overly broad configuration of the CAS client library -- ideally only actually-user-facing paths would be redirected for login, whereas web service requests would be allowed to reach Grouper which can presumably respond to them with a more web-service-domain-specific error response (i.e. whatever the Grouper Lite UI _javascript_ expected for an error response. :) )

Arguably, Lite UI should detect and handle the case where response to asynchronous requests is "weird", i.e. a redirect to a user-facing login UI or otherwise not the expected response, since of course CAS integrations won't be the only integrations that might make these responses wonky in the case where sessions expire.

The configuration mechanism for what URLs, if any, are redirected for CAS login (in the case where Grouper Java servlet application session is not already logged in and the immediate request does not present a validatable service ticket as a request parameter on the URL) varies by CAS client library.  If it's a Java Servlet Filter integration we're talking about here, it's a matter of the paths filtered in web.xml.

Insert here very polite and gentle suggestion that Grouper should consider implementing Spring Security or Apache Shiro to provide arguably better integration point for CAS and other login options and more standardized handling of what requests for paths that ought to have been authenticated but weren't are handled in what ways.

Kind regards,


PS: I'd worry a little bit that there's something else wrong with this story, in that, why wasn't the interaction with the admin UI keeping the Grouper web application session alive, such that the session shouldn't have timed out, such that the Lite UI's AJAX calls should have been happily working just fine and re-login shouldn't have been required???

On Thursday, July 19, 2012 at 2:57 PM, Gagné Sébastien wrote:

UI is 2.1.0 (haven’t tried 2.1.1)


I’m not 100% sure about how CAS works, but I believe the app servers detects that the CAS ticket is expired and sends a redirect (302) to the login page. I believe the problem with the Lite UI is that the AJAX request inside a page won’t do a “regular” HTTP request and _javascript_ might not handle the redirect properly (if it was sent with these type of request).


If I do a request for the Lite UI home page directly I am prompted by the login page. The problem is when I try to do an action inside the page when the session is expired.



De : Chris Hyzer []
Envoyé : 19 juillet 2012 14:45
À : Gagné Sébastien;
Objet : RE: Lite UI problems


What is the version of the Lite UI which has internationalization problems?  Have you tried in 2.1?


How does the browser know there is a problem with Authn?  Is there a 302 response from the app server when authentication is needed?  So if there is a 302 in ajax it should redirect to the same page which will trigger a logon?





From: On Behalf Of Gagné Sébastien
Sent: Thursday, July 19, 2012 2:39 PM
Subject: [grouper-dev] Lite UI problems



Using the lite UI I found some problems which would be nice if they were addressed in next UI


First, accent support is very iffy, we translated part of, but sometimes (like on buttons) the html entities were shown (e.g. &eacute;) instead of the value (é). There’s some problems with encoding between Lite UI and Admin UI (one will show the character é while the other will show a question mark)


Also, if I enter some text for a grouper entity (an attribute in this case), accents are bugged :

Before Save:

After save :



Enough of our French eccentricity, there’s also a problem with CAS integration with the Lite UI :


We authenticate with CAS server and sessions expires after some time. This is no problem with the admin UI which will redirect you back to the login page to re-authenticate when you click on a link. However, this is not the case with the Lite UI, I will usually get a message box telling me that the XML request failed. If I re-authenticate using the Admin UI and go back in the Lite UI and do the same task, everything is back to normal. I believe this is because of the Ajax behind. It would be nice if there was a way to have a re-authentication (refresh the page maybe ? I think you need a new webrequest to have the app redirect you to the login page)





Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11


Archive powered by MHonArc 2.6.16.

Top of Page