grouper-users - RE: [grouper-users] Restricting access to Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Baron Fujimoto <>, "" <>
- Subject: RE: [grouper-users] Restricting access to Grouper
- Date: Thu, 23 Aug 2012 05:01:26 +0000
- Accept-language: en-US
No, I don't think so, though when I created this, we used this feature at
Penn, and now the UI is used embedded in other apps via lite ui, and people
are delegating access to the main UI without the central Grouper staff
knowing, so we don't use it anymore and didn't realize it doesn't work.
Its fixed though, can you incorporate a fix into the source code and redploy
and see how it goes?
Thanks,
Chris
https://bugs.internet2.edu/jira/browse/GRP-840
GrouperUiFilter.java:
FROM: (doFilter())
filterChain.doFilter(httpServletRequest, response);
TO:
Subject subjectLoggedIn = retrieveSubjectLoggedIn();
UiSection uiSection = uiSectionForRequest();
ensureUserAllowedInSection(uiSection, subjectLoggedIn);
filterChain.doFilter(httpServletRequest, response);
And media.properties:
FROM:
#users must be in this group to be able to login to the UI
require.group.for.logins=
#users must be in this group to be able to login to the lite membership
update UI
require.group.for.membershipUpdateLite.logins=
#users must be in this group to be able to login to the subjectPicker UI
require.group.for.subjectPicker.logins=
#users must be in this group to invite external users to grouper
require.group.for.inviteExternalSubjects.logins=
#users must be in this group to assign/create/etc attributes in the UI (new
attribute framework)
require.group.for.attributeUpdateLite.logins=
TO:
#users must be in this group to be able to login to the UI
#note: if they are in the this group, then they can use the lite ui too
require.group.for.logins=
#users must be in this group to be able to login to the lite membership
update UI (if not in require.group.for.logins)
require.group.for.membershipUpdateLite.logins=
#users must be in this group to be able to login to the subjectPicker UI (if
not in require.group.for.logins or
require.group.for.membershipUpdateLite.logins)
require.group.for.subjectPicker.logins=
#users must be in this group to invite external users to grouper
require.group.for.inviteExternalSubjects.logins=
#users must be in this group to assign/create/etc attributes in the UI (new
attribute framework) (if not in require.group.for.logins)
require.group.for.attributeUpdateLite.logins=
-----Original Message-----
From:
[mailto:]
On Behalf Of Baron Fujimoto
Sent: Wednesday, August 22, 2012 5:17 PM
To:
Subject: Re: [grouper-users] Restricting access to Grouper
Since I'm still confused, perhaps I should have asked, is this the expected
behavior? I expected some sort of more explicit "You don't have permission
to use Grouper" type error message or page.
Aloha,
-baron
On Tue, Aug 21, 2012 at 02:26:27PM -1000, Baron Fujimoto wrote:
: Thanks for the pointer to media.properties.
:
: In grouper.properties, I have the following:
:
: configuration.autocreate.group.name.1 = etc:uiUsers
: configuration.autocreate.group.description.1 = users allowed to log in to
the UI
: configuration.autocreate.group.subjects.1 = teststaf
:
: and in grouper-ui/conf/resources/grouper/media.properties I've set
:
: require.group.for.logins=etc:uiUsers
:
: If I log in to Grouper as a user that is not in etc:uiUsers (or wheel type
: group), I still seem to have access to the UI. Although I don't appear
: to have any create, etc. type privileges, I can still perform searches and
: browse from the "../grouper/doSearchSubjects.do" URL.
:
:
: On Tue, Aug 21, 2012 at 04:10:08AM +0000, Chris Hyzer wrote:
: : The grouper.properties can autocreate the UI / WS groups. You make the
UI be restricted to a group, you should be able to use the media.properties
to specify the group, and in the WS, its the grouper-ws.properties where you
specify it. Let me know how it goes.
: :
: : Thanks,
: : Chris
: :
: : ________________________________________
: : From:
[]
on behalf of Baron Fujimoto
[]
: : Sent: Monday, August 20, 2012 11:12 PM
: : To:
: : Subject: [grouper-users] Restricting access to Grouper
: :
: : We'd like to be able to restrict access to the Grouper API (via the UI
: : or WS) to a specified group of users. What is the recommended way to
: : accomplish this using Grouper?
: :
: : grouper.example.properties includes some commented out entries that
: : hint at a starting point to achieve this, but I wasn't able to find
: : further examples or documentation on where to go from there; i.e. given
: : this group, how to restrict the access?
: :
: : #configuration.autocreate.group.name.0 = etc:uiUsers
: : #configuration.autocreate.group.description.0 = users allowed to log in
to the UI
: : #configuration.autocreate.group.subjects.0 = johnsmith
: :
:
: --
: Baron Fujimoto
<>
:: UH Information Technology Services
: minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
- [grouper-users] Restricting access to Grouper, Baron Fujimoto, 08/20/2012
- RE: [grouper-users] Restricting access to Grouper, Chris Hyzer, 08/21/2012
- Re: [grouper-users] Restricting access to Grouper, Baron Fujimoto, 08/21/2012
- Re: [grouper-users] Restricting access to Grouper, Baron Fujimoto, 08/22/2012
- RE: [grouper-users] Restricting access to Grouper, Chris Hyzer, 08/23/2012
- Re: [grouper-users] Restricting access to Grouper, Baron Fujimoto, 08/22/2012
- Re: [grouper-users] Restricting access to Grouper, Baron Fujimoto, 08/21/2012
- RE: [grouper-users] Restricting access to Grouper, Chris Hyzer, 08/21/2012
Archive powered by MHonArc 2.6.16.