Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] RE: Restricting access to Grouper UI

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] RE: Restricting access to Grouper UI


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Gagné Sébastien <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] RE: Restricting access to Grouper UI
  • Date: Wed, 10 Oct 2012 16:00:02 +0000
  • Accept-language: en-US

Whoops, I have the right code in the branch, but not in the jira… it should be this

 

      //this makes sure allowed in section

      Subject subjectLoggedIn = retrieveSubjectLoggedIn(true);

      if (subjectLoggedIn != null) {

        UiSection uiSection = uiSectionForRequest();

        ensureUserAllowedInSection(uiSection, subjectLoggedIn);

      }

 

 

I think you also need a new retrieveSubjectLoggedIn() method:

 

FROM:

 

  /**

   * retrieve the subject logged in

   *

   * @return the subject

   */

  public static Subject retrieveSubjectLoggedIn() {

   

    GrouperSession grouperSession = SessionInitialiser.getGrouperSession(retrieveHttpServletRequest().getSession());

    if (grouperSession != null && grouperSession.getSubject() != null) {

      return grouperSession.getSubject();

    }

   

    SessionContainer sessionContainer = SessionContainer.retrieveFromSession();

   

    Subject subjectLoggedIn = sessionContainer.getSubjectLoggedIn();

   

    HttpServletRequest request = retrieveHttpServletRequest();

 

    UiSection uiSectionForRequest = uiSectionForRequest();

 

    if (subjectLoggedIn != null) {

      return subjectLoggedIn;

    }

 

  

    //currently assumes user is in getUserPrincipal

    String userIdLoggedIn = remoteUser(request);

 

    if (StringUtils.isBlank(userIdLoggedIn) && uiSectionForRequest.isAnonymous()) {

      return null;

    }

 

    if (StringUtils.isBlank(userIdLoggedIn)) {

      throw new RuntimeException("Cant find logged in user");

    }

   

    GrouperSession rootSession = GrouperSession.startRootSession();

    try {

      subjectLoggedIn = SubjectFinder.findByIdOrIdentifier(userIdLoggedIn, true);

    } catch (RuntimeException re) {

      //this is probably a system error...  not a user error

      GrouperUtil.injectInException(re, "Cant find subject from login id: " + userIdLoggedIn);

      throw re;

    } finally {

      GrouperSession.stopQuietly(rootSession);

    }

   

    ensureUserAllowedInSection(uiSectionForRequest, subjectLoggedIn);

   

    sessionContainer.setSubjectLoggedIn(subjectLoggedIn);

   

    return subjectLoggedIn;

 

  }

 

TO:

 

  /**

   * retrieve the subject logged in

   *

   * @return the subject

   */

  public static Subject retrieveSubjectLoggedIn() {

    return retrieveSubjectLoggedIn(false);

  }

   

 

  /**

   * retrieve the subject logged in

   * @param allowNoUserLoggedIn true if allowed to have no user, false if expecting a user

   * @return the subject

   */

  private static Subject retrieveSubjectLoggedIn(boolean allowNoUserLoggedIn) {

   

    GrouperSession grouperSession = SessionInitialiser.getGrouperSession(retrieveHttpServletRequest().getSession());

    if (grouperSession != null && grouperSession.getSubject() != null) {

      return grouperSession.getSubject();

    }

   

    SessionContainer sessionContainer = SessionContainer.retrieveFromSession();

   

    Subject subjectLoggedIn = sessionContainer.getSubjectLoggedIn();

   

    HttpServletRequest request = retrieveHttpServletRequest();

 

    UiSection uiSectionForRequest = uiSectionForRequest();

 

    if (subjectLoggedIn != null) {

      return subjectLoggedIn;

    }

 

  

    //currently assumes user is in getUserPrincipal

    String userIdLoggedIn = remoteUser(request);

 

    if (StringUtils.isBlank(userIdLoggedIn) && uiSectionForRequest.isAnonymous()) {

      return null;

    }

 

    if (StringUtils.isBlank(userIdLoggedIn)) {

      if (allowNoUserLoggedIn) {

        return null;

      }

      throw new RuntimeException("Cant find logged in user");

    }

   

    GrouperSession rootSession = GrouperSession.startRootSession();

    try {

      subjectLoggedIn = SubjectFinder.findByIdOrIdentifier(userIdLoggedIn, true);

    } catch (RuntimeException re) {

      //this is probably a system error...  not a user error

      GrouperUtil.injectInException(re, "Cant find subject from login id: " + userIdLoggedIn);

      throw re;

    } finally {

      GrouperSession.stopQuietly(rootSession);

    }

   

    ensureUserAllowedInSection(uiSectionForRequest, subjectLoggedIn);

   

    sessionContainer.setSubjectLoggedIn(subjectLoggedIn);

   

    return subjectLoggedIn;

 

  }

 

 

 

I changed the jira.  Give it a try

 

Thanks,

Chris

 

Ps. here is the code I committed Aug 24…

 

http://anonsvn.internet2.edu/viewvc/viewvc.py/i2mi/branches/GROUPER_2_1_BRANCH/grouper-ui/java/src/edu/internet2/middleware/grouper/ui/GrouperUiFilter.java?r1=8465&view=log

 

From: Gagné Sébastien [mailto:]
Sent: Wednesday, October 10, 2012 10:10 AM
To: Chris Hyzer
Subject: RE: [grouper-users] RE: Restricting access to Grouper UI

 

I confirmed that removing the added code returns everything to normal (login and browsing is OK)

 

The problem might be because the CAS integration requires me to modify : webapp/WEB-INF/struts-config.xml

 

FROM

    <action path="/callLogin" scope="request"

            type="edu.internet2.middleware.grouper.ui.actions.CallLoginAction"

            unknown="false" validate="false">

 

      <forward name="callLogin" path="/login.do" redirect="true"/>

    </action>

 

TO

    <action path="/callLogin" scope="request"

            type="edu.internet2.middleware.grouper.ui.actions.CallLoginAction"

            unknown="false" validate="false">

 

      <forward name="callLogin" path="/home.do" redirect="true"/>

    </action>

 

Maybe login.do initializes something more (a session?) that home.do doesn’t.

 

 

De : Gagné Sébastien
Envoyé : 10 octobre 2012 09:29
À : Gagné Sébastien; Rahul Doshi; Chris Hyzer;
Objet : RE: [grouper-users] RE: Restricting access to Grouper UI

 

Well finally it doesn’t work completely…

 

Patching the GrouperUiFilter as per the JIRA fixes the problem for “native” authentication, but if I use the CAS integration I get an exception :

 

2012-10-10 09:08:11,798: [http-8080-8] ERROR GrouperUiFilter.doFilter(835) -  - UI error

java.lang.RuntimeException: Cant find logged in user

        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:261)

        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:823)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

        at java.lang.Thread.run(Thread.java:662)

 

 

 

De : De la part de Gagné Sébastien
Envoyé : 9 octobre 2012 15:50
À : Rahul Doshi; Chris Hyzer;
Objet : RE: [grouper-users] RE: Restricting access to Grouper UI

 

You’re right. I added the patch and I get the error message.

 

Thanks !

 

De : Rahul Doshi
Envoyé : 9 octobre 2012 15:36
À : Gagné Sébastien; Chris Hyzer;
Objet : Re: [grouper-users] RE: Restricting access to Grouper UI

 

Not sure if the bug https://bugs.internet2.edu/jira/browse/GRP-840 is same.  Seems to have been fixed in 2.1.3

 

Thanks,

Rahul

 

From: Gagné Sébastien <>
Date: Tuesday, October 9, 2012 3:29 PM
To: Chris Hyzer <>, "" <>
Subject: [grouper-users] RE: Restricting access to Grouper UI

 

I’m running 2.1.2 API and UI

 

I edited : ui/conf/resources/grouper/media.properties

The one in “ui/dist/grouper/WEB-INF/classes/resources/grouper/media.properties” shows the same properties.

 

The “etc:GroupeAccesUI” was manually created in the UI with my grouper sysadmin account. It was not autocreated by GrouperSystem. In this group I only added an admin group that contains a bunch of other admin groups which is where the users actually are. I also tested by adding only one user in the UI group.

 

I tried with a user authenticated by CAS and one in the tomcat’s tomcat-user.xml (<user username="usr_gagns" password="123" roles="grouper_user"/>)

 

I don’t have any error in my logs

 

De : Chris Hyzer []
Envoyé : 9 octobre 2012 14:47
À : Gagné Sébastien;
Objet : RE: Restricting access to Grouper UI

 

There have been some issues, though in my tests it seems to work.  If someone can debug or give more info that would help.  Also, which media.propeties did you try?  If not this one, try here: resources/grouper/media.properties   (since it could also be a custom one).  Which version of Grouper are you on?  I did my testing on the latest 2.1

 

Here is a movie: http://www.youtube.com/watch?v=9bh8VhweTIQ

 

Here is a thread:  https://lists.internet2.edu/sympa/arc/grouper-users/2012-09/msg00019.html

 

Thanks,

CHris

 

 

From:On Behalf Of Gagné Sébastien
Sent: Tuesday, October 09, 2012 2:34 PM
To:
Subject: [grouper-users] Restricting access to Grouper UI

 

Hi,

I tried restricting the access to the Grouper UI to members of a specific group using the following configuration in media.properties, but it doesn’t work :

 

#users must be in this group to be able to login to the UI

require.group.for.logins=etc:GroupeAccesUI

 

I rebuilt the UI and I tried with and without CAS integration. Whatever I do, I can log in using any user, even those not in the group and even if the group is empty.

 

Am I missing something ?  Is it broken ?

 

Thanks

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 




Archive powered by MHonArc 2.6.16.

Top of Page