Grouper Users - Open Discussion List

[Chris Hyzer <>]

I think you should remove all the security stuff from the web.xml and protect 
the whole application /grouper with shibboleth.  Should we change the wiki?  
Why do you need the security stuff in the web.xml?

You should be able to remove this:

<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>UI</web-resource-name>
      <url-pattern>/grouperUi/app/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>UI</web-resource-name>
      <url-pattern>/grouperUi/appHtml/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>UI</web-resource-name>
      <url-pattern>/grouperExternal/app/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>UI</web-resource-name>
      <url-pattern>/grouperExternal/appHtml/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Tomcat login</web-resource-name>
      <url-pattern>/login.do</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <!-- NOTE:  This role is not present in the default users file -->
       <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Grouper Application</realm-name>
  </login-config>
<!--Processing security-role-->
<!--Inserting tag from base file. Merge file was 
file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
<security-role>
    <description>
      The role that is required to log in to the Grouper UI
    </description>
    <role-name>*</role-name>
  </security-role>

Thanks,
Chris 


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Scott Koranda
Sent: Tuesday, March 27, 2012 5:29 PM
To: grouper-users
Subject: [grouper-users] Grouper 2.1.0 Lite Ui and Shib

Hi,

We use Shibboleth to protect access to our Grouper UIs.

With Grouper 1.6.x I followed these nice instructions from the
Newcastly folks:

https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib

When attempting to do the same thing with Grouper 2.1.0 I
found that web.xml contains elements like

<auth-constraint>

instead of <user-data-constraint>. So I treated
<auth-constraint> as if it were <user-data-constraint> and
following the instructions above I set the element content to
NONE.

That caused the Lite UI to fail with a 403.

I then edited web.xml and did a global replace of
<auth-constraint> with <user-data-constraint> and that fixed
the Lite UI.

Two questions:

1) Did I do anything unsafe or incorrect by changing
<auth-constraint> to <user-data-constraint>?

2) Is <auth-constraint> correct and the Newcastle doc just
needs to be updated for 2.1.x or is that a distribution bug?

Thanks,

Scott