Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] grouper authZ&authN questions

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] grouper authZ&authN questions


Chronological Thread 
  • From: "GW Brown, Information Systems and Computing" <>
  • To: xiaohui Cai <>,
  • Subject: Re: [grouper-users] grouper authZ&authN questions
  • Date: Tue, 04 Apr 2006 15:41:21 +0100

Hi Xiaohui,

Grouper depends on external authentication - the UI calls HttpServletRequest.getRemoteUser() to find the identifier for the user.

This means that you must configure Tomcat, or your webserver to protect the UI. For Tomcat you can edit <TOMCAT_HOME>/conf/tomcat-users.xml to add:
<role rolename="grouper_user"/>

and

<user username="<loginid>" password="<password>" roles="grouper_user"/>

for each user.

For Apache you need to modify your httpd.conf:

<Location /grouper>
AuthType Basic
AuthName "grouper basic"
AuthUserFile <path to password file>*
require valid-user
</Location>

*if-users-crypt (Unix) or if-users-md5 (Windows) from the InstallFest. This assumes you have configured Apache with ModJk.

These methods are OK for demos, however, if you have a campus authentication service which uses an Apache module, you can configure Apache to use that to protect the UI and people can use their real username / passwords to login.

When the UI obtains a 'username' it calls Subject.getByIdentifier to obtain an instance of the Subject. The jdbc Subject source adapter matches the username to an attribute called 'loginid'. I'm not sure what the JNDI adapter matches against.

Tom has used PubCookie and I have used Yale CAS with the UI.

Hope this helps.

Gary



--On 04 April 2006 10:03 -0400 xiaohui Cai
<>
wrote:

Hi,

I did not seem to figure out how Grouper enforce privileges for Grouper
subjects. For example, I have created a group, and added members via
the jndi source adaptor to Georgetown directory. I assigned various
privileges to some of the members. My questions are,

How do the subjects login to grouper to exercise their privileges?
Where do the subject's login credentials come from? and what happens if
subjects are from multiple sources (LDAP and RDBM)?

Thanks,


Xiaohui Cai
202 687 6697




----------------------
GW Brown, Information Systems and Computing




Archive powered by MHonArc 2.6.16.

Top of Page