grouper-users - RE: [grouper-users] Error 403, but logged in anyway
Subject: Grouper Users - Open Discussion List
List archive
- From: Loris Bennett <>
- To: Chris Hyzer <>
- Cc: "GW Brown, Information Systems and Computing" <>, Grouper Users Mailing List <>
- Subject: RE: [grouper-users] Error 403, but logged in anyway
- Date: Fri, 20 Mar 2009 14:13:33 +0100
- Organization: Freie Universität Berlin
It is now working.
I think the problem was that I had tried and failed to extend the
security constraint beyond login.do and left the web.xml in a
semi-broken state.
My local tomcat expert has now sorted me out.
Sorry for causing unnecessary activity at your end(s).
Cheers
Loris
On Fri, 2009-03-20 at 08:36 -0400, Chris Hyzer wrote:
> Do you have tomcat pre 5.5.15?
>
> http://threebit.net/mail-archive/tomcat-users/msg00081.html
>
> There should be more to google on this issue since it seems like a tomcat
> problem, right?
>
> Let us know
> Chris
>
> > -----Original Message-----
> > From: Loris Bennett
> > [mailto:]
> > Sent: Friday, March 20, 2009 5:57 AM
> > To: GW Brown, Information Systems and Computing
> > Cc: Grouper Users Mailing List
> > Subject: Re: [grouper-users] Error 403, but logged in anyway
> >
> > On Thu, 2009-03-19 at 16:17 +0100, Loris Bennett wrote:
> > > Hi Gary,
> > >
> > > On Thu, 2009-03-19 at 13:50 +0000, GW Brown, Information Systems and
> > > Computing wrote:
> > > > Hi Loris,
> > > >
> > > > when you attempt to access /grouper-dev/ do you see the Grouper
> > splash
> > > > screen with a login link or are you prompted for credentials
> > immediately?
> > >
> > > I get the Grouper splash screen.
> > >
> > > > Do you map users to the grouper_user role?
> > >
> > > No.
> > >
> > > > What might be happening is that you successfully authenticate
> > against LDAP
> > > > but are not assigned the grouper_user role required by the security
> > > > constraint in the web.xml. The security constraint only applies to
> > > > login.do. After that we depend on a session variable. So
> > authentication
> > > > works, the role check fails, on going to /grouper-dev/ again the
> > grouper ui
> > > > sees a 'remoteUser' and creates a session.
> > > >
> > > > You could try replacing the auth-constraint role-name with *
> > > > <auth-constraint>
> > > > <role-name>*</role-name>
> > > > </auth-constraint>
> > > >
> > > > otherwise you can have multiple role-name elements to match
> > appropriate
> > > > roles in LDAP.
> > >
> > > OK, I'll try this.
> >
> > This didn't make any difference - I still get 403.
> >
> > Maybe I shouldn't worry about this too much, as tomcat will be behind
> > an
> > apache at some point. Still it would be nice to know why the problem
> > occurs for some users but not for others.
> >
> > Cheers
> >
> > Loris
> >
> > >
> > > Thanks,
> > >
> > > Loris
> > >
> > > > Gary
> > > >
> > > >
> > > >
> > > >
> > > > --On 19 March 2009 14:17 +0100 Loris Bennett
> > > > <loris.bennett@fu-
> > berlin.de>
> > > > wrote:
> > > >
> > > > > Hi Gary,
> > > > >
> > > > > Authentication is done via META-INF/context.xml:
> > > > >
> > > > > <Context path="/grouper"
> > > > > docBase="grouper"
> > > > > debug="0"
> > > > > privileged="false"
> > > > > reloadable="false"
> > > > > swallowOutput="true">
> > > > > <Realm className="org.apache.catalina.realm.JNDIRealm"
> > > > > debug="99"
> > > > > connectionURL="ldaps://host1.dept.fu-
> > berlin.de:1234"
> > > > > alternateURL="ldaps://host2.dept.fu-
> > berlin.de:1234"
> > > > > userPattern="uid={0},ou=dept,o=fu-berlin,c=de"
> > > > > roleBase="ou=grouper,o=fu-berlin,c=de"
> > > > > roleSubtree="true"
> > > > > roleSearch="(uniquemember={0})"
> > > > > roleName="cn"
> > > > > connectionName="cn=manager,o=fu-berlin,c=de"
> > > > > connectionPassword="xxx"/>
> > > > > </Context>
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Loris
> > > > >
> > > > >
> > > > > On Thu, 2009-03-19 at 13:02 +0000, GW Brown, Information Systems
> > and
> > > > > Computing wrote:
> > > > >> Hi Loris,
> > > > >>
> > > > >> How is the LDAP authentication achieved?
> > > > >>
> > > > >> Gary
> > > > >>
> > > > >> --On 19 March 2009 13:53 +0100 Loris Bennett
> > > > >> <>
> > > > >> wrote:
> > > > >>
> > > > >> > Hi Gary,
> > > > >> >
> > > > >> > I am not using Apache - just Tomcat on its own.
> > > > >> >
> > > > >> > Cheers
> > > > >> >
> > > > >> > Loris
> > > > >> > On Thu, 2009-03-19 at 11:24 +0000, GW Brown, Information
> > Systems and
> > > > >> > Computing wrote:
> > > > >> >> Hi Loris,
> > > > >> >>
> > > > >> >> Have you got Apache in front of Tomcat - and is it doing the
> > > > >> >> authentication? If so does it blanket protect grouper-dev?
> > Otherwise
> > > > >> >> are you using a servlet filter?
> > > > >> >>
> > > > >> >> If you are using Apache can you isolate and post the relevant
> > section
> > > > >> >> of the access log?
> > > > >> >>
> > > > >> >> In the web.xml there is a security constraint:
> > > > >> >> <security-constraint>
> > > > >> >> <web-resource-collection>
> > > > >> >> <web-resource-name>Tomcat login</web-resource-name>
> > > > >> >> <url-pattern>/login.do</url-pattern>
> > > > >> >> </web-resource-collection>
> > > > >> >> <auth-constraint>
> > > > >> >> <!-- NOTE: This role is not present in the default
> > users file
> > > > >> >> --> <role-name>grouper_user</role-name>
> > > > >> >> </auth-constraint>
> > > > >> >> </security-constraint>
> > > > >> >>
> > > > >> >> Which may not be necessary if the authentication is through
> > Apache.
> > > > >> >>
> > > > >> >> Thanks,
> > > > >> >>
> > > > >> >> Gary
> > > > >> >>
> > > > >> >> --On 19 March 2009 11:34 +0100 Loris Bennett
> > > > >> >> <>
> > > > >> >> wrote:
> > > > >> >>
> > > > >> >> > Hi Gary,
> > > > >> >> >
> > > > >> >> > My webapp is actually "grouper-dev" - "grouper" just comes
> > from me
> > > > >> >> > having tweaked the logfile in a half-baked manner.
> > > > >> >> >
> > > > >> >> > I am authenticating against an LDAP server.
> > > > >> >> >
> > > > >> >> > Cheers,
> > > > >> >> >
> > > > >> >> > Loris
> > > > >> >> >
> > > > >> >> > On Thu, 2009-03-19 at 09:07 +0000, GW Brown, Information
> > Systems and
> > > > >> >> > Computing wrote:
> > > > >> >> >> Hi Loris,
> > > > >> >> >>
> > > > >> >> >> Looking at the log I see:
> > > > >> >> >>
> > > > >> >> >> Caught '403' for /grouper-dev/login.do
> > > > >> >> >>
> > > > >> >> >> but the urls you gave /grouper/login.do. Is there actually
> > a
> > > > >> >> >> difference? If so doing a clean build may help.
> > > > >> >> >>
> > > > >> >> >> What authentication are you using?
> > > > >> >> >>
> > > > >> >> >> Gary
> > > > >> >> >>
> > > > >> >> >>
> > > > >> >> >>
> > > > >> >> >>
> > > > >> >> >> --On 19 March 2009 09:37 +0100 Loris Bennett
> > > > >> >> >> <>
> > > > >> >> >> wrote:
> > > > >> >> >>
> > > > >> >> >> > Hi,
> > > > >> >> >> >
> > > > >> >> >> > Most, but not all, users get error 403 on logging into
> > grouper.
> > > > >> >> >> > The URL displayed is
> > > > >> >> >> >
> > > > >> >> >> > https://host.fu-berlin.de:1234/grouper/login.do
> > > > >> >> >> >
> > > > >> >> >> > If they then delete the "login.do" bit of the URL, they
> > get
> > > > >> >> >> > redirected to
> > > > >> >> >> >
> > > > >> >> >> > https://host.fu-berlin.de:1234/grouper/home.do
> > > > >> >> >> >
> > > > >> >> >> > and everything is fine. A log extract for the login is
> > attached.
> > > > >> >> >> >
> > > > >> >> >> > Cheers
> > > > >> >> >> >
> > > > >> >> >> > Loris
> > > > >> >> >> >
> > > > >> >> >> >
> > > > >> >> >> >
> > > > >> >> >> >
> > > > >> >> >> > --
> > > > >> >> >> > Dr. Loris Bennett (Mr.)
> > > > >> >> >> > Freie Universität Berlin
> > > > >> >> >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung /
> > Computer
> > > > >> >> >> > Center Compute & Media Service
> > > > >> >> >> > Fabeckstr. 32, Room 221
> > > > >> >> >> > D-14195 Berlin
> > > > >> >> >> > Tel ++49 30 838 51024
> > > > >> >> >> > Fax ++49 30 838 56721
> > > > >> >> >> >
> > > > >> >> >> > Web www.zedat.fu-berlin.de
> > > > >> >> >>
> > > > >> >> >>
> > > > >> >> >>
> > > > >> >> >> ----------------------
> > > > >> >> >> GW Brown, Information Systems and Computing
> > > > >> >> >>
> > > > >> >> > --
> > > > >> >> > Dr. Loris Bennett (Mr.)
> > > > >> >> > Freie Universität Berlin
> > > > >> >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer
> > Center
> > > > >> >> > Compute & Media Service
> > > > >> >> > Fabeckstr. 32, Room 221
> > > > >> >> > D-14195 Berlin
> > > > >> >> > Tel ++49 30 838 51024
> > > > >> >> > Fax ++49 30 838 56721
> > > > >> >> >
> > > > >> >> > Web www.zedat.fu-berlin.de
> > > > >> >> >
> > > > >> >>
> > > > >> >>
> > > > >> >>
> > > > >> >> ----------------------
> > > > >> >> GW Brown, Information Systems and Computing
> > > > >> >>
> > > > >> > --
> > > > >> > Dr. Loris Bennett (Mr.)
> > > > >> > Freie Universität Berlin
> > > > >> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer
> > Center
> > > > >> > Compute & Media Service
> > > > >> > Fabeckstr. 32, Room 221
> > > > >> > D-14195 Berlin
> > > > >> > Tel ++49 30 838 51024
> > > > >> > Fax ++49 30 838 56721
> > > > >> >
> > > > >> > Web www.zedat.fu-berlin.de
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> ----------------------
> > > > >> GW Brown, Information Systems and Computing
> > > > >>
> > > > > --
> > > > > Dr. Loris Bennett (Mr.)
> > > > > Freie Universität Berlin
> > > > > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer
> > Center
> > > > > Compute & Media Service
> > > > > Fabeckstr. 32, Room 221
> > > > > D-14195 Berlin
> > > > > Tel ++49 30 838 51024
> > > > > Fax ++49 30 838 56721
> > > > >
> > > > > Web www.zedat.fu-berlin.de
> > > > >
> > > >
> > > >
> > > >
> > > > ----------------------
> > > > GW Brown, Information Systems and Computing
> > > >
> > --
> > Dr. Loris Bennett (Mr.)
> > Freie Universität Berlin
> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > Compute & Media Service
> > Fabeckstr. 32, Room 221
> > D-14195 Berlin
> > Tel ++49 30 838 51024
> > Fax ++49 30 838 56721
> >
> > Web www.zedat.fu-berlin.de
>
--
Dr. Loris Bennett (Mr.)
Freie Universität Berlin
ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
Compute & Media Service
Fabeckstr. 32, Room 221
D-14195 Berlin
Tel ++49 30 838 51024
Fax ++49 30 838 56721
Web www.zedat.fu-berlin.de
- Re: [grouper-users] Error 403, but logged in anyway, (continued)
- Re: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
- RE: [grouper-users] Error 403, but logged in anyway, Chris Hyzer, 03/19/2009
- RE: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/20/2009
- RE: [grouper-users] Error 403, but logged in anyway, Chris Hyzer, 03/20/2009
- RE: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/20/2009
- RE: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/23/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, Loris Bennett, 03/19/2009
- Re: [grouper-users] Error 403, but logged in anyway, GW Brown, Information Systems and Computing, 03/19/2009
Archive powered by MHonArc 2.6.16.