Grouper Users - Open Discussion List

[Scott Koranda <>]

> I just added support for this in 1.5.0.
> 
> I believe what you need to do if you don't want to wait for 1.5.0 is:
> 
> 1. Create an authenticator class:
> 
> package edu.myschol.grouper.security;
> 
> import javax.servlet.http.HttpServletRequest;
> import edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication;
> 
> /**
>  * remote user authentication
>  */
> public class WsGrouperRemoteUserAuthentication implements 
> WsCustomAuthentication {
> 
>   /**
>    * 
>    * @see 
> edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication#retrieveLoggedInSubjectId(javax.servlet.http.HttpServletRequest)
>    */
>   public String retrieveLoggedInSubjectId(HttpServletRequest 
> httpServletRequest)
>       throws RuntimeException {
>     
>     return httpServletRequest.getRemoteUser();
>   }
> 
> }
> 
> NOTE: if it is blank, it might be here:
> 
> return httpServletRequest.getAttribute("REMOTE_USER");
> 
> 2. Compile and put that in a jar in lib dir or in the classes dir
> 
> 3. Put the classname in the grouper-ws.properties:
> 
> ws.security.non-rampart.authentication.class = 
> edu.myschol.grouper.security.WsGrouperRemoteUserAuthentication
> 
> 
> If you need help compiling and making the jar, let me know.

Thanks, that appears to work.

I did have to edit web.xml and I simply removed the
<security-constraint>, <login-config>, and <security-role>
sections. I did that because Tomcat is behind Apache httpd,
and we are protecting everything under /grouper-ws via

<Location /grouper-ws>

in httpd.conf.

Were the edits to web.xml the right thing to do for this use
case or is there some reason I should put those or other
constraints back in?

Thanks,

Scott



> 
> Regards,
> Chris
> 
> > -----Original Message-----
> > From: Scott Koranda 
> > [mailto:]
> > Sent: Thursday, October 29, 2009 12:17 AM
> > To: 
> > 
> > Subject: [grouper-users] REMOTE_USER and grouper-ws
> > 
> > Hi,
> > 
> > Right now authentication to grouper-ws is being done via
> > hand-editing of the file tomcat-users.xml with entries like
> > this:
> > 
> > <role rolename="grouper_user"/>
> >   <user username="jota" password="whatever" roles="grouper_user"/>
> >   <user username="jobr" password="whatever" roles="grouper_user"/>
> >   <user username="eldo" password="whatever" roles="grouper_user"/>
> > 
> > I would prefer to have grouper-ws "see" REMOTE_USER in the
> > same way that the Grouper UI "sees" REMOTE_USER.
> > 
> > What changes do I need to make to my grouper-ws and Tomcat
> > configuration in order for REMOTE_USER to be used for
> > authentication (note that we are using Apache httpd to
> > front/proxy for Tomcat via AJP)?
> > 
> > I apologize if the the details are staring at me from
> > 
> > https://spaces.internet2.edu/display/GrouperWG/Authentication
> > 
> > but I have not been able to discern from that page precisely
> > what to do.
> > 
> > Thanks,
> > 
> > Scott