Skip to Content.
Sympa Menu

grouper-users - authentication/authorization GrouperSystem for Grouper web services

Subject: Grouper Users - Open Discussion List

List archive

authentication/authorization GrouperSystem for Grouper web services


Chronological Thread 
  • From: Scott Koranda <>
  • To: "" <>
  • Subject: authentication/authorization GrouperSystem for Grouper web services
  • Date: Fri, 30 Oct 2009 16:27:38 -0500

Hi,

(Sorry, longish note trying to explain the context...)

Currently we have a "web portal", coded in PHP, that drives
Grouper web services. The Grouper web services are served via
SSL/HTTPS and the portal PHP code authenticates as user
'GrouperSystem' because of this entry in tomcat-users.xml:

<tomcat-users>
<role rolename="grouper_user"/>
<user username="GrouperSystem" password="XXXXXXX" roles = "grouper_user"/>
</tomcat-users>

We want the portal to be authenticated as 'GrouperSystem' so
that it has the privileges to do everything it needs to
do--fine grained authorization is handled by the portal code
doing lookups into Grouper and using an 'act as' argument when
necessary.

Now I want to change that architecture a bit.

I want to protect all of Grouper web services (served via
Tomcat5 with Apache httpd in front) with some standard Apache
httpd authentication--right now mod_auth_kerb and eventually
Shibboleth.

With Chris' help yesterday I got that working with Grouper
1.4.x and a custom non-rampart authentication class. So I can
for example drive a Grouper REST interface after
authenticating with my Kerberos credentials
''.
This allows individual users to
drive the Grouper web services using their individual
credentials, and that should allow us to build some custom UIs
with something like AJAX technology. Looking forward to
Grouper 1.5 it sounds like I won't even need a custom
class--it will just be a configuration option.

But what about that web portal? How can I get the PHP web
portal to continue to be authenticated as 'GrouperSystem'?

I can surely issue a Kerberos principal for the portal and
have it authenticate using that, but it will end up being
something like
'',
which is not simply
'GrouperSystem'.

Of course I can always add a subject to the wheel group and so
it will have the same privileges as 'GrouperSystem', but that
subject needs to be resolved by Grouper.

I suppose I could add
''
into our LDAP
(all of our people subjects are resolved by Grouper in LDAP),
but that seems messy.

Is there a simple way for me to configure sources.xml so that
''
or similar is resolved to 'GrouperSystem'? Or
would I have to do something like stand up an additional JDBC
source with that one mapping in it?

I appreciate any input anybody has.

Thanks,

Scott



Archive powered by MHonArc 2.6.16.

Top of Page