Subject: Grouper Users - Open Discussion List
- From: "GW Brown, Information Systems and Computing" <>
- To: xiaohui Cai <>,
- Subject: Re: [grouper-users] grouper authZ&authN questions
- Date: Tue, 04 Apr 2006 15:41:21 +0100
Grouper depends on external authentication - the UI calls HttpServletRequest.getRemoteUser() to find the identifier for the user.
This means that you must configure Tomcat, or your webserver to protect the UI. For Tomcat you can edit <TOMCAT_HOME>/conf/tomcat-users.xml to add:
<user username="<loginid>" password="<password>" roles="grouper_user"/>
for each user.
For Apache you need to modify your httpd.conf:
AuthName "grouper basic"
AuthUserFile <path to password file>*
*if-users-crypt (Unix) or if-users-md5 (Windows) from the InstallFest. This assumes you have configured Apache with ModJk.
These methods are OK for demos, however, if you have a campus authentication service which uses an Apache module, you can configure Apache to use that to protect the UI and people can use their real username / passwords to login.
When the UI obtains a 'username' it calls Subject.getByIdentifier to obtain an instance of the Subject. The jdbc Subject source adapter matches the username to an attribute called 'loginid'. I'm not sure what the JNDI adapter matches against.
Tom has used PubCookie and I have used Yale CAS with the UI.
Hope this helps.
--On 04 April 2006 10:03 -0400 xiaohui Cai
I did not seem to figure out how Grouper enforce privileges for Grouper
subjects. For example, I have created a group, and added members via
the jndi source adaptor to Georgetown directory. I assigned various
privileges to some of the members. My questions are,
How do the subjects login to grouper to exercise their privileges?
Where do the subject's login credentials come from? and what happens if
subjects are from multiple sources (LDAP and RDBM)?
202 687 6697
GW Brown, Information Systems and Computing
- grouper authZ&authN questions, xiaohui Cai, 04/04/2006
- Re: [grouper-users] grouper authZ&authN questions, GW Brown, Information Systems and Computing, 04/04/2006
- Re: [grouper-users] grouper authZ&authN questions, Tom Barton, 04/04/2006
Archive powered by MHonArc 2.6.16.