Grouper Users - Open Discussion List

["GW Brown, Information Systems and Computing" <>]

Hi Xiaohui,

Grouper depends on external authentication - the UI calls 
HttpServletRequest.getRemoteUser() to find the identifier for the user.

This means that you must configure Tomcat, or your webserver to protect the 
UI. For Tomcat you can edit <TOMCAT_HOME>/conf/tomcat-users.xml to add:
<role rolename="grouper_user"/>

and

<user username="<loginid>" password="<password>" roles="grouper_user"/>

for each user.

For Apache you need to modify your httpd.conf:

<Location /grouper>
AuthType Basic
AuthName "grouper basic"
AuthUserFile <path to password file>*
require valid-user
</Location>

*if-users-crypt (Unix) or  if-users-md5 (Windows) from the InstallFest. 
This assumes you have configured Apache with ModJk.

These methods are OK for demos, however, if you have a campus 
authentication service which uses an Apache module, you can configure 
Apache to use that to protect the UI and people can use their real username 
/ passwords to login.

When the UI obtains a 'username' it calls Subject.getByIdentifier to obtain 
an instance of the Subject. The jdbc Subject source adapter matches the 
username to an attribute called 'loginid'. I'm not sure what the JNDI 
adapter matches against.

Tom has used PubCookie and I have used Yale CAS with the UI.

Hope this helps.

Gary



--On 04 April 2006 10:03 -0400 xiaohui Cai 
<>
 wrote:

> Hi,
>
> I did not seem to figure out how Grouper enforce privileges for  Grouper
> subjects.  For example, I have created a group, and added  members via
> the jndi source adaptor to Georgetown directory.  I  assigned various
> privileges to  some of the members.  My questions are,
>
> How do the subjects login to grouper to exercise their privileges?
> Where do the subject's login credentials come from? and what happens  if
> subjects are from multiple sources (LDAP and RDBM)?
>
> Thanks,
>
>
> Xiaohui Cai
> 202 687 6697



----------------------
GW Brown, Information Systems and Computing