grouper-users - Re: [grouper-users] REMOTE_USER and grouper-ws
Subject: Grouper Users - Open Discussion List
List archive
- From: Scott Koranda <>
- To: Chris Hyzer <>
- Cc: "" <>
- Subject: Re: [grouper-users] REMOTE_USER and grouper-ws
- Date: Fri, 30 Oct 2009 04:55:37 -0500
> I just added support for this in 1.5.0.
>
> I believe what you need to do if you don't want to wait for 1.5.0 is:
>
> 1. Create an authenticator class:
>
> package edu.myschol.grouper.security;
>
> import javax.servlet.http.HttpServletRequest;
> import edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication;
>
> /**
> * remote user authentication
> */
> public class WsGrouperRemoteUserAuthentication implements
> WsCustomAuthentication {
>
> /**
> *
> * @see
> edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication#retrieveLoggedInSubjectId(javax.servlet.http.HttpServletRequest)
> */
> public String retrieveLoggedInSubjectId(HttpServletRequest
> httpServletRequest)
> throws RuntimeException {
>
> return httpServletRequest.getRemoteUser();
> }
>
> }
>
> NOTE: if it is blank, it might be here:
>
> return httpServletRequest.getAttribute("REMOTE_USER");
>
> 2. Compile and put that in a jar in lib dir or in the classes dir
>
> 3. Put the classname in the grouper-ws.properties:
>
> ws.security.non-rampart.authentication.class =
> edu.myschol.grouper.security.WsGrouperRemoteUserAuthentication
>
>
> If you need help compiling and making the jar, let me know.
Thanks, that appears to work.
I did have to edit web.xml and I simply removed the
<security-constraint>, <login-config>, and <security-role>
sections. I did that because Tomcat is behind Apache httpd,
and we are protecting everything under /grouper-ws via
<Location /grouper-ws>
in httpd.conf.
Were the edits to web.xml the right thing to do for this use
case or is there some reason I should put those or other
constraints back in?
Thanks,
Scott
>
> Regards,
> Chris
>
> > -----Original Message-----
> > From: Scott Koranda
> > [mailto:]
> > Sent: Thursday, October 29, 2009 12:17 AM
> > To:
> >
> > Subject: [grouper-users] REMOTE_USER and grouper-ws
> >
> > Hi,
> >
> > Right now authentication to grouper-ws is being done via
> > hand-editing of the file tomcat-users.xml with entries like
> > this:
> >
> > <role rolename="grouper_user"/>
> > <user username="jota" password="whatever" roles="grouper_user"/>
> > <user username="jobr" password="whatever" roles="grouper_user"/>
> > <user username="eldo" password="whatever" roles="grouper_user"/>
> >
> > I would prefer to have grouper-ws "see" REMOTE_USER in the
> > same way that the Grouper UI "sees" REMOTE_USER.
> >
> > What changes do I need to make to my grouper-ws and Tomcat
> > configuration in order for REMOTE_USER to be used for
> > authentication (note that we are using Apache httpd to
> > front/proxy for Tomcat via AJP)?
> >
> > I apologize if the the details are staring at me from
> >
> > https://spaces.internet2.edu/display/GrouperWG/Authentication
> >
> > but I have not been able to discern from that page precisely
> > what to do.
> >
> > Thanks,
> >
> > Scott
- REMOTE_USER and grouper-ws, Scott Koranda, 10/29/2009
- RE: [grouper-users] REMOTE_USER and grouper-ws, Chris Hyzer, 10/29/2009
- Re: [grouper-users] REMOTE_USER and grouper-ws, Scott Koranda, 10/30/2009
- RE: [grouper-users] REMOTE_USER and grouper-ws, Chris Hyzer, 10/30/2009
- Re: [grouper-users] REMOTE_USER and grouper-ws, Scott Koranda, 10/30/2009
- RE: [grouper-users] REMOTE_USER and grouper-ws, Chris Hyzer, 10/29/2009
Archive powered by MHonArc 2.6.16.