Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Local entity for WS service account

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Local entity for WS service account

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Mike Roszkowski <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Local entity for WS service account
  • Date: Tue, 16 Oct 2012 16:14:04 +0000
  • Accept-language: en-US

Ok, forgot about that part. Yes, I think if you have a standard that all
users to WS authenticate like this, and all the local entities are in a
certain folder, then we could add a tweak to GrouperWS to prepend a namespace
to the username before resolving the subject... are you interested in this
patch (I could create it and send it to you)?


-----Original Message-----
From: Mike Roszkowski

Sent: Tuesday, October 16, 2012 11:52 AM
To: Chris Hyzer

Subject: Re: [grouper-users] Local entity for WS service account

Thanks for the reply, Chris. I should have mentioned that I did try to do
I used Lite UI to assign the attribute to the local entity, but when I tried
to assign a value to the attribute, I got this:

Error: Value must start with the entity's folder name:
Exception in save:
Problem in
HibernateSession: HibernateSession: isNew: false, isReadonly: false,
READ_WRITE_NEW, Exception in saveOrUpdate:
ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName:
null, tx type: null,
Problem in HibernateSession: HibernateSession: isNew: true, isReadonly:
false, grouperTransactionType:
READ_WRITE_NEW, Problem calling method assignAddValueSubmit on

So it will only let me assign a value that also has colons in it, I think.

I did find that the subject-identifier that was generated (a uuid) for the
local entity can be used to
authenticate that account, but it would be nice to give it a more
name than a 32-character hex string!


On 10/16/12 10:32 AM, Chris Hyzer wrote:
> Local entities can have an attribute which is the subject identifier.
> This is autocreated for you, depending on your config, might be here:
> etc:attribute:entities:entitySubjectIdentifier
> Assign this to the local entity (e.g. with UI), and give the string value
> which is the identifier (with no colons in it).
> Then try to authenticate with that value and see if it works.
> Let me know
> Thanks,
> Chris
> -----Original Message-----
> From:
> [mailto:]
> On Behalf Of Mike Roszkowski
> Sent: Tuesday, October 16, 2012 11:14 AM
> To:
> Subject: [grouper-users] Local entity for WS service account
> I'd like to create a "service account" in grouper for an application.
> The app will use web services to access grouper, so needs to be
> able to authenticate via basic auth to the grouper web services.
> My first attempt was to use gsh's addSubject("mst-test","application","MST
> test account")
> and set the loginid, name, and description subject attributes,
> but that doesn't seem to create a subject, as findSubject("mst-test")
> returns
> // Error: subject not found: mst-test
> So, I thought I'd try a local entity. I created one using the Lite UI
> called:
> control:applications:mst-test
> findSubject("control:applications:mst-test") works, but now I'm faced with
> trying to authenticate control:applications:mst-test via tomcat basic
> auth and the colon is an illegal character in basic auth usernames per
> RFC-2617.
> Is there a way I can use a local entity to authenticate via basic auth
> to grouper-ws? Or is there another approach I should be using to create
> a "service account?"
> Thanks for any help you can offer.
> --Mike Roszkowski
> University of Wisconsin-Madison

Archive powered by MHonArc 2.6.16.

Top of Page