grouper-users - Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib
Subject: Grouper Users - Open Discussion List
List archive
- From: Scott Koranda <>
- To: Chris Hyzer <>
- Cc: grouper-users <>
- Subject: Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib
- Date: Wed, 28 Mar 2012 08:52:22 -0500
Hi,
> I think you should remove all the security stuff from the
> web.xml
Ok.
> and protect the whole application /grouper with
> shibboleth.
Yes, that's what we do:
<Location /grouper>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require isMemberOf ~ .+LSCVirgoLIGOGroupMembers.*
</Location>
> Should we change the wiki?
Yes, I think people new to Grouper who want to use Shib to
protect it will find the current instructions confusing since
the contents of the web.xml that is deployed differ now with
2.1.x from what was in 1.6.x.
I am happy to help edit the wiki though I have only deployed
with the scenario where we have required a Shib session to
access Grouper. That is, I have not tried a deployment
scenario using lazy sessions.
Please let me know if I should edit the page
https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib
> Why do you need the
> security stuff in the web.xml?
Apparently I do not. I edited it as you suggested below and it
appears to work just fine for my scenario.
Thanks,
Scott
>
> You should be able to remove this:
>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Tomcat login</web-resource-name>
> <url-pattern>/login.do</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- NOTE: This role is not present in the default users file -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Grouper Application</realm-name>
> </login-config>
> <!--Processing security-role-->
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-role>
> <description>
> The role that is required to log in to the Grouper UI
> </description>
> <role-name>*</role-name>
> </security-role>
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Scott Koranda
> Sent: Tuesday, March 27, 2012 5:29 PM
> To: grouper-users
> Subject: [grouper-users] Grouper 2.1.0 Lite Ui and Shib
>
> Hi,
>
> We use Shibboleth to protect access to our Grouper UIs.
>
> With Grouper 1.6.x I followed these nice instructions from the
> Newcastly folks:
>
> https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib
>
> When attempting to do the same thing with Grouper 2.1.0 I
> found that web.xml contains elements like
>
> <auth-constraint>
>
> instead of <user-data-constraint>. So I treated
> <auth-constraint> as if it were <user-data-constraint> and
> following the instructions above I set the element content to
> NONE.
>
> That caused the Lite UI to fail with a 403.
>
> I then edited web.xml and did a global replace of
> <auth-constraint> with <user-data-constraint> and that fixed
> the Lite UI.
>
> Two questions:
>
> 1) Did I do anything unsafe or incorrect by changing
> <auth-constraint> to <user-data-constraint>?
>
> 2) Is <auth-constraint> correct and the Newcastle doc just
> needs to be updated for 2.1.x or is that a distribution bug?
>
> Thanks,
>
> Scott
>
>
- [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Scott Koranda, 03/27/2012
- RE: [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Chris Hyzer, 03/27/2012
- Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Scott Koranda, 03/28/2012
- RE: [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Chris Hyzer, 03/28/2012
- Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Scott Koranda, 03/28/2012
- RE: [grouper-users] Grouper 2.1.0 Lite Ui and Shib, Chris Hyzer, 03/27/2012
Archive powered by MHonArc 2.6.16.