Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib


Chronological Thread 
  • From: Scott Koranda <>
  • To: Chris Hyzer <>
  • Cc: grouper-users <>
  • Subject: Re: [grouper-users] Grouper 2.1.0 Lite Ui and Shib
  • Date: Wed, 28 Mar 2012 08:52:22 -0500

Hi,

> I think you should remove all the security stuff from the
> web.xml

Ok.

> and protect the whole application /grouper with
> shibboleth.

Yes, that's what we do:

<Location /grouper>
AuthType shibboleth
ShibRequestSetting requireSession 1
Require isMemberOf ~ .+LSCVirgoLIGOGroupMembers.*
</Location>

> Should we change the wiki?

Yes, I think people new to Grouper who want to use Shib to
protect it will find the current instructions confusing since
the contents of the web.xml that is deployed differ now with
2.1.x from what was in 1.6.x.

I am happy to help edit the wiki though I have only deployed
with the scenario where we have required a Shib session to
access Grouper. That is, I have not tried a deployment
scenario using lazy sessions.

Please let me know if I should edit the page

https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib

> Why do you need the
> security stuff in the web.xml?

Apparently I do not. I edited it as you suggested below and it
appears to work just fine for my scenario.

Thanks,

Scott

>
> You should be able to remove this:
>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Tomcat login</web-resource-name>
> <url-pattern>/login.do</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- NOTE: This role is not present in the default users file -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Grouper Application</realm-name>
> </login-config>
> <!--Processing security-role-->
> <!--Inserting tag from base file. Merge file was
> file:/C:/mchyzer/grouper/trunk/grouper-ui_trunk/temp/99.web.core-filters.xml-->
> <security-role>
> <description>
> The role that is required to log in to the Grouper UI
> </description>
> <role-name>*</role-name>
> </security-role>
>
> Thanks,
> Chris
>
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Scott Koranda
> Sent: Tuesday, March 27, 2012 5:29 PM
> To: grouper-users
> Subject: [grouper-users] Grouper 2.1.0 Lite Ui and Shib
>
> Hi,
>
> We use Shibboleth to protect access to our Grouper UIs.
>
> With Grouper 1.6.x I followed these nice instructions from the
> Newcastly folks:
>
> https://spaces.internet2.edu/display/Grouper/Newcastle+University+-+Protecting+UI+With+Shib
>
> When attempting to do the same thing with Grouper 2.1.0 I
> found that web.xml contains elements like
>
> <auth-constraint>
>
> instead of <user-data-constraint>. So I treated
> <auth-constraint> as if it were <user-data-constraint> and
> following the instructions above I set the element content to
> NONE.
>
> That caused the Lite UI to fail with a 403.
>
> I then edited web.xml and did a global replace of
> <auth-constraint> with <user-data-constraint> and that fixed
> the Lite UI.
>
> Two questions:
>
> 1) Did I do anything unsafe or incorrect by changing
> <auth-constraint> to <user-data-constraint>?
>
> 2) Is <auth-constraint> correct and the Newcastle doc just
> needs to be updated for 2.1.x or is that a distribution bug?
>
> Thanks,
>
> Scott
>
>



Archive powered by MHonArc 2.6.16.

Top of Page