grouper-users - RE: [grouper-users] RE: Restricting access to Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Gagné Sébastien <>
- Cc: "" <>
- Subject: RE: [grouper-users] RE: Restricting access to Grouper UI
- Date: Wed, 10 Oct 2012 16:00:02 +0000
- Accept-language: en-US
|
Whoops, I have the right code in the branch, but not in the jira… it should be this
//this makes sure allowed in section Subject subjectLoggedIn =
retrieveSubjectLoggedIn(true);
if (subjectLoggedIn !=
null) { UiSection uiSection =
uiSectionForRequest();
ensureUserAllowedInSection(uiSection, subjectLoggedIn); } I think you also need a new retrieveSubjectLoggedIn() method: FROM:
/** * retrieve the subject logged in *
*
@return the subject */
public
static Subject retrieveSubjectLoggedIn() {
GrouperSession grouperSession = SessionInitialiser.getGrouperSession(retrieveHttpServletRequest().getSession());
if (grouperSession
!= null && grouperSession.getSubject()
!= null) {
return grouperSession.getSubject(); }
SessionContainer sessionContainer = SessionContainer.retrieveFromSession();
Subject subjectLoggedIn = sessionContainer.getSubjectLoggedIn();
HttpServletRequest request = retrieveHttpServletRequest(); UiSection uiSectionForRequest = uiSectionForRequest();
if (subjectLoggedIn
!= null) {
return subjectLoggedIn; }
//currently
assumes user is in getUserPrincipal
String userIdLoggedIn = remoteUser(request);
if (StringUtils.isBlank(userIdLoggedIn)
&& uiSectionForRequest.isAnonymous()) {
return
null; }
if (StringUtils.isBlank(userIdLoggedIn))
{
throw
new RuntimeException("Cant
find logged in user"); }
GrouperSession rootSession = GrouperSession.startRootSession();
try { subjectLoggedIn = SubjectFinder.findByIdOrIdentifier(userIdLoggedIn,
true); }
catch (RuntimeException
re) {
//this is probably a system error... not a user error GrouperUtil.injectInException(re,
"Cant find subject from login id: "
+ userIdLoggedIn);
throw re; }
finally { GrouperSession.stopQuietly(rootSession); }
ensureUserAllowedInSection(uiSectionForRequest, subjectLoggedIn);
sessionContainer.setSubjectLoggedIn(subjectLoggedIn);
return
subjectLoggedIn; } TO:
/** * retrieve the subject logged in *
*
@return the subject */
public
static Subject retrieveSubjectLoggedIn() {
return
retrieveSubjectLoggedIn(false); }
/** * retrieve the subject logged in *
@param allowNoUserLoggedIn true if allowed to have no user, false if expecting a user *
@return the subject */
private
static Subject
retrieveSubjectLoggedIn(boolean allowNoUserLoggedIn)
{
GrouperSession grouperSession = SessionInitialiser.getGrouperSession(retrieveHttpServletRequest().getSession());
if (grouperSession !=
null && grouperSession.getSubject() !=
null) {
return grouperSession.getSubject(); }
SessionContainer sessionContainer = SessionContainer.retrieveFromSession();
Subject subjectLoggedIn = sessionContainer.getSubjectLoggedIn();
HttpServletRequest request =
retrieveHttpServletRequest(); UiSection uiSectionForRequest =
uiSectionForRequest();
if (subjectLoggedIn !=
null) {
return subjectLoggedIn; }
//currently assumes user is in getUserPrincipal String userIdLoggedIn =
remoteUser(request);
if (StringUtils.isBlank(userIdLoggedIn) && uiSectionForRequest.isAnonymous()) {
return
null; }
if (StringUtils.isBlank(userIdLoggedIn)) {
if (allowNoUserLoggedIn) {
return
null; }
throw
new RuntimeException("Cant
find logged in user"); }
GrouperSession rootSession = GrouperSession.startRootSession();
try { subjectLoggedIn = SubjectFinder.findByIdOrIdentifier(userIdLoggedIn,
true); }
catch (RuntimeException re) {
//this is probably a system error... not a user error GrouperUtil.injectInException(re,
"Cant find subject from login id: " + userIdLoggedIn);
throw re; }
finally { GrouperSession.stopQuietly(rootSession); }
ensureUserAllowedInSection(uiSectionForRequest, subjectLoggedIn);
sessionContainer.setSubjectLoggedIn(subjectLoggedIn);
return
subjectLoggedIn; } I changed the jira. Give it a try Thanks, Chris Ps. here is the code I committed Aug 24… From: Gagné Sébastien [mailto:]
I confirmed that removing the added code returns everything to normal (login and browsing is OK) The problem might be because the CAS integration requires me to modify : webapp/WEB-INF/struts-config.xml FROM <action path="/callLogin" scope="request" type="edu.internet2.middleware.grouper.ui.actions.CallLoginAction" unknown="false" validate="false"> <forward name="callLogin"
path="/login.do" redirect="true"/> </action> TO <action path="/callLogin" scope="request" type="edu.internet2.middleware.grouper.ui.actions.CallLoginAction" unknown="false" validate="false"> <forward name="callLogin"
path="/home.do" redirect="true"/> </action> Maybe login.do initializes something more (a session?) that home.do doesn’t. De : Gagné Sébastien
Well finally it doesn’t work completely… Patching the GrouperUiFilter as per the JIRA fixes the problem for “native” authentication, but if I use the CAS integration I get an exception : 2012-10-10 09:08:11,798: [http-8080-8] ERROR GrouperUiFilter.doFilter(835) - - UI error java.lang.RuntimeException: Cant find logged in user at edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:261) at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:823) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662) De :
De la part de Gagné Sébastien You’re right. I added the patch and I get the error message. Thanks ! De : Rahul Doshi
Not sure if the bug
https://bugs.internet2.edu/jira/browse/GRP-840 is same. Seems to have been fixed in 2.1.3 Thanks, Rahul From: Gagné Sébastien <> I’m running 2.1.2 API and UI I edited : ui/conf/resources/grouper/media.properties The one in “ui/dist/grouper/WEB-INF/classes/resources/grouper/media.properties” shows the same properties. The “etc:GroupeAccesUI” was manually created in the UI with my grouper sysadmin account. It was not autocreated by GrouperSystem. In this group I only added an admin group that contains a bunch of
other admin groups which is where the users actually are. I also tested by adding only one user in the UI group. I tried with a user authenticated by CAS and one in the tomcat’s tomcat-user.xml (<user username="usr_gagns" password="123" roles="grouper_user"/>) I don’t have any error in my logs De : Chris Hyzer []
There have been some issues, though in my tests it seems to work. If someone can debug or give more info that would help. Also, which media.propeties did you try? If not this one, try here: resources/grouper/media.properties
(since it could also be a custom one). Which version of Grouper are you on? I did my testing on the latest 2.1 Here is a movie:
http://www.youtube.com/watch?v=9bh8VhweTIQ Here is a thread: https://lists.internet2.edu/sympa/arc/grouper-users/2012-09/msg00019.html Thanks, CHris From:On
Behalf Of Gagné Sébastien Hi, I tried restricting the access to the Grouper UI to members of a specific group using the following configuration in
media.properties, but it doesn’t work : #users must be in this group to be able to login to the UI require.group.for.logins=etc:GroupeAccesUI I rebuilt the UI and I tried with and without CAS integration. Whatever I do, I can log in using any user, even those not in the group and even if the group is empty. Am I missing something ? Is it broken ? Thanks Sébastien Gagné, |
Analyste en informatique 514-343-6111 x33844
|
Université de Montréal,
|
Pavillon Roger-Gaudry, local X-100-11 |
- [grouper-users] Restricting access to Grouper UI, Gagné Sébastien, 10/09/2012
- [grouper-users] RE: Restricting access to Grouper UI, Chris Hyzer, 10/09/2012
- [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/09/2012
- Re: [grouper-users] RE: Restricting access to Grouper UI, Rahul Doshi, 10/09/2012
- RE: [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/09/2012
- RE: [grouper-users] RE: Restricting access to Grouper UI, Chris Hyzer, 10/09/2012
- RE: [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/10/2012
- Message not available
- RE: [grouper-users] RE: Restricting access to Grouper UI, Chris Hyzer, 10/10/2012
- RE: [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/10/2012
- Message not available
- RE: [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/09/2012
- Re: [grouper-users] RE: Restricting access to Grouper UI, Rahul Doshi, 10/09/2012
- [grouper-users] RE: Restricting access to Grouper UI, Gagné Sébastien, 10/09/2012
- [grouper-users] RE: Restricting access to Grouper UI, Chris Hyzer, 10/09/2012
Archive powered by MHonArc 2.6.16.