Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Error 403, but logged in anyway

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Error 403, but logged in anyway


Chronological Thread 
  • From: Loris Bennett <>
  • To: "GW Brown, Information Systems and Computing" <>
  • Cc: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] Error 403, but logged in anyway
  • Date: Fri, 20 Mar 2009 10:57:23 +0100
  • Organization: Freie Universität Berlin

On Thu, 2009-03-19 at 16:17 +0100, Loris Bennett wrote:
> Hi Gary,
>
> On Thu, 2009-03-19 at 13:50 +0000, GW Brown, Information Systems and
> Computing wrote:
> > Hi Loris,
> >
> > when you attempt to access /grouper-dev/ do you see the Grouper splash
> > screen with a login link or are you prompted for credentials immediately?
>
> I get the Grouper splash screen.
>
> > Do you map users to the grouper_user role?
>
> No.
>
> > What might be happening is that you successfully authenticate against
> > LDAP
> > but are not assigned the grouper_user role required by the security
> > constraint in the web.xml. The security constraint only applies to
> > login.do. After that we depend on a session variable. So authentication
> > works, the role check fails, on going to /grouper-dev/ again the grouper
> > ui
> > sees a 'remoteUser' and creates a session.
> >
> > You could try replacing the auth-constraint role-name with *
> > <auth-constraint>
> > <role-name>*</role-name>
> > </auth-constraint>
> >
> > otherwise you can have multiple role-name elements to match appropriate
> > roles in LDAP.
>
> OK, I'll try this.

This didn't make any difference - I still get 403.

Maybe I shouldn't worry about this too much, as tomcat will be behind an
apache at some point. Still it would be nice to know why the problem
occurs for some users but not for others.

Cheers

Loris

>
> Thanks,
>
> Loris
>
> > Gary
> >
> >
> >
> >
> > --On 19 March 2009 14:17 +0100 Loris Bennett
> > <>
> >
> > wrote:
> >
> > > Hi Gary,
> > >
> > > Authentication is done via META-INF/context.xml:
> > >
> > > <Context path="/grouper"
> > > docBase="grouper"
> > > debug="0"
> > > privileged="false"
> > > reloadable="false"
> > > swallowOutput="true">
> > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > debug="99"
> > > connectionURL="ldaps://host1.dept.fu-berlin.de:1234"
> > > alternateURL="ldaps://host2.dept.fu-berlin.de:1234"
> > > userPattern="uid={0},ou=dept,o=fu-berlin,c=de"
> > > roleBase="ou=grouper,o=fu-berlin,c=de"
> > > roleSubtree="true"
> > > roleSearch="(uniquemember={0})"
> > > roleName="cn"
> > > connectionName="cn=manager,o=fu-berlin,c=de"
> > > connectionPassword="xxx"/>
> > > </Context>
> > >
> > > Cheers,
> > >
> > > Loris
> > >
> > >
> > > On Thu, 2009-03-19 at 13:02 +0000, GW Brown, Information Systems and
> > > Computing wrote:
> > >> Hi Loris,
> > >>
> > >> How is the LDAP authentication achieved?
> > >>
> > >> Gary
> > >>
> > >> --On 19 March 2009 13:53 +0100 Loris Bennett
> > >> <>
> > >> wrote:
> > >>
> > >> > Hi Gary,
> > >> >
> > >> > I am not using Apache - just Tomcat on its own.
> > >> >
> > >> > Cheers
> > >> >
> > >> > Loris
> > >> > On Thu, 2009-03-19 at 11:24 +0000, GW Brown, Information Systems and
> > >> > Computing wrote:
> > >> >> Hi Loris,
> > >> >>
> > >> >> Have you got Apache in front of Tomcat - and is it doing the
> > >> >> authentication? If so does it blanket protect grouper-dev? Otherwise
> > >> >> are you using a servlet filter?
> > >> >>
> > >> >> If you are using Apache can you isolate and post the relevant
> > >> >> section
> > >> >> of the access log?
> > >> >>
> > >> >> In the web.xml there is a security constraint:
> > >> >> <security-constraint>
> > >> >> <web-resource-collection>
> > >> >> <web-resource-name>Tomcat login</web-resource-name>
> > >> >> <url-pattern>/login.do</url-pattern>
> > >> >> </web-resource-collection>
> > >> >> <auth-constraint>
> > >> >> <!-- NOTE: This role is not present in the default users
> > >> >> file
> > >> >> --> <role-name>grouper_user</role-name>
> > >> >> </auth-constraint>
> > >> >> </security-constraint>
> > >> >>
> > >> >> Which may not be necessary if the authentication is through Apache.
> > >> >>
> > >> >> Thanks,
> > >> >>
> > >> >> Gary
> > >> >>
> > >> >> --On 19 March 2009 11:34 +0100 Loris Bennett
> > >> >> <>
> > >> >> wrote:
> > >> >>
> > >> >> > Hi Gary,
> > >> >> >
> > >> >> > My webapp is actually "grouper-dev" - "grouper" just comes from me
> > >> >> > having tweaked the logfile in a half-baked manner.
> > >> >> >
> > >> >> > I am authenticating against an LDAP server.
> > >> >> >
> > >> >> > Cheers,
> > >> >> >
> > >> >> > Loris
> > >> >> >
> > >> >> > On Thu, 2009-03-19 at 09:07 +0000, GW Brown, Information Systems
> > >> >> > and
> > >> >> > Computing wrote:
> > >> >> >> Hi Loris,
> > >> >> >>
> > >> >> >> Looking at the log I see:
> > >> >> >>
> > >> >> >> Caught '403' for /grouper-dev/login.do
> > >> >> >>
> > >> >> >> but the urls you gave /grouper/login.do. Is there actually a
> > >> >> >> difference? If so doing a clean build may help.
> > >> >> >>
> > >> >> >> What authentication are you using?
> > >> >> >>
> > >> >> >> Gary
> > >> >> >>
> > >> >> >>
> > >> >> >>
> > >> >> >>
> > >> >> >> --On 19 March 2009 09:37 +0100 Loris Bennett
> > >> >> >> <>
> > >> >> >> wrote:
> > >> >> >>
> > >> >> >> > Hi,
> > >> >> >> >
> > >> >> >> > Most, but not all, users get error 403 on logging into grouper.
> > >> >> >> > The URL displayed is
> > >> >> >> >
> > >> >> >> > https://host.fu-berlin.de:1234/grouper/login.do
> > >> >> >> >
> > >> >> >> > If they then delete the "login.do" bit of the URL, they get
> > >> >> >> > redirected to
> > >> >> >> >
> > >> >> >> > https://host.fu-berlin.de:1234/grouper/home.do
> > >> >> >> >
> > >> >> >> > and everything is fine. A log extract for the login is
> > >> >> >> > attached.
> > >> >> >> >
> > >> >> >> > Cheers
> > >> >> >> >
> > >> >> >> > Loris
> > >> >> >> >
> > >> >> >> >
> > >> >> >> >
> > >> >> >> >
> > >> >> >> > --
> > >> >> >> > Dr. Loris Bennett (Mr.)
> > >> >> >> > Freie Universität Berlin
> > >> >> >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer
> > >> >> >> > Center Compute & Media Service
> > >> >> >> > Fabeckstr. 32, Room 221
> > >> >> >> > D-14195 Berlin
> > >> >> >> > Tel ++49 30 838 51024
> > >> >> >> > Fax ++49 30 838 56721
> > >> >> >> > Email
> > >> >> >> >
> > >> >> >> > Web www.zedat.fu-berlin.de
> > >> >> >>
> > >> >> >>
> > >> >> >>
> > >> >> >> ----------------------
> > >> >> >> GW Brown, Information Systems and Computing
> > >> >> >>
> > >> >> > --
> > >> >> > Dr. Loris Bennett (Mr.)
> > >> >> > Freie Universität Berlin
> > >> >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > >> >> > Compute & Media Service
> > >> >> > Fabeckstr. 32, Room 221
> > >> >> > D-14195 Berlin
> > >> >> > Tel ++49 30 838 51024
> > >> >> > Fax ++49 30 838 56721
> > >> >> > Email
> > >> >> >
> > >> >> > Web www.zedat.fu-berlin.de
> > >> >> >
> > >> >>
> > >> >>
> > >> >>
> > >> >> ----------------------
> > >> >> GW Brown, Information Systems and Computing
> > >> >>
> > >> > --
> > >> > Dr. Loris Bennett (Mr.)
> > >> > Freie Universität Berlin
> > >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > >> > Compute & Media Service
> > >> > Fabeckstr. 32, Room 221
> > >> > D-14195 Berlin
> > >> > Tel ++49 30 838 51024
> > >> > Fax ++49 30 838 56721
> > >> > Email
> > >> >
> > >> > Web www.zedat.fu-berlin.de
> > >> >
> > >>
> > >>
> > >>
> > >> ----------------------
> > >> GW Brown, Information Systems and Computing
> > >>
> > > --
> > > Dr. Loris Bennett (Mr.)
> > > Freie Universität Berlin
> > > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > > Compute & Media Service
> > > Fabeckstr. 32, Room 221
> > > D-14195 Berlin
> > > Tel ++49 30 838 51024
> > > Fax ++49 30 838 56721
> > > Email
> > >
> > > Web www.zedat.fu-berlin.de
> > >
> >
> >
> >
> > ----------------------
> > GW Brown, Information Systems and Computing
> >
--
Dr. Loris Bennett (Mr.)
Freie Universität Berlin
ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
Compute & Media Service
Fabeckstr. 32, Room 221
D-14195 Berlin
Tel ++49 30 838 51024
Fax ++49 30 838 56721
Email

Web www.zedat.fu-berlin.de




Archive powered by MHonArc 2.6.16.

Top of Page