Subject: Grouper Users - Open Discussion List
- From: Tom Barton <>
- To: xiaohui Cai <>
- Subject: Re: [grouper-users] grouper authZ&authN questions
- Date: Tue, 04 Apr 2006 09:49:50 -0500
Great questions. Please see below. -Tom
xiaohui Cai wrote:
I did not seem to figure out how Grouper enforce privileges for Grouper subjects. For example, I have created a group, and added members via the jndi source adaptor to Georgetown directory. I assigned various privileges to some of the members. My questions are,
How do the subjects login to grouper to exercise their privileges?
Where do the subject's login credentials come from?
The default grouper UI relies on REMOTE_USER to be provided by tomcat, which may in turn be provided it by apache via mod_jk. It sounds like you need to arrange for some type of g'town authentication service to protect your grouper UI instance. The UI uses the value of REMOTE_USER to do a getSubjectByIdentifer() source adapter lookup. So, you'll need to configure the jndi source adapter's "searchSubjectByIdentifier" filter to find the appropriate ldap entry. For example, if g'town usernames are stored in ldap as "uid", then "(uid=%TERM%)" is an essential part of that filter specification.
and what happens if subjects are from multiple sources (LDAP and RDBM)?
I believe that getSubjectByIdentifer() call at UI login time iterates over all configured sources. So, if it returns other than exactly one match, you've got a problem. The Subject API's design effectively assumes that records in distinct back-end systems refer to distinct real-world objects, ie, there's nothing in the Subject API that can be used to logically join records across multiple sources.
Does this help?
- grouper authZ&authN questions, xiaohui Cai, 04/04/2006
- Re: [grouper-users] grouper authZ&authN questions, GW Brown, Information Systems and Computing, 04/04/2006
- Re: [grouper-users] grouper authZ&authN questions, Tom Barton, 04/04/2006
Archive powered by MHonArc 2.6.16.