Grouper Users - Open Discussion List

[Chris Hyzer <>]

Ok, forgot about that part.  Yes, I think if you have a standard that all 
users to WS authenticate like this, and all the local entities are in a 
certain folder, then we could add a tweak to GrouperWS to prepend a namespace 
to the username before resolving the subject... are you interested in this 
patch (I could create it and send it to you)?

Thanks,
Chris

-----Original Message-----
From: Mike Roszkowski 
[mailto:]
 
Sent: Tuesday, October 16, 2012 11:52 AM
To: Chris Hyzer
Cc: 

Subject: Re: [grouper-users] Local entity for WS service account

Thanks for the reply, Chris. I should have mentioned that I did try to do 
this.
I used Lite UI to assign the attribute to the local entity, but when I tried
to assign a value to the attribute, I got this:

Error: Value must start with the entity's folder name: 
'control:applications:',
Exception in save: 
edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
edu.internet2.middleware.grouper.hibernate.ByObject@208888e2,
 Problem in
HibernateSession: HibernateSession: isNew: false, isReadonly: false, 
grouperTransactionType:
READ_WRITE_NEW, Exception in saveOrUpdate: 
edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: 
null, tx type: null,
Problem in HibernateSession: HibernateSession: isNew: true, isReadonly: 
false, grouperTransactionType:
READ_WRITE_NEW, Problem calling method assignAddValueSubmit on
edu.internet2.middleware.grouper.grouperUi.serviceLogic.SimpleAttributeUpdate

So it will only let me assign a value that also has colons in it, I think.

I did find that the subject-identifier that was generated (a uuid) for the 
local entity can be used to
authenticate that account, but it would be nice to give it a more 
developer-friendly
name than a 32-character hex string!

--Mike

On 10/16/12 10:32 AM, Chris Hyzer wrote:
> Local entities can have an attribute which is the subject identifier.
>
> This is autocreated for you, depending on your config, might be here:
>
> etc:attribute:entities:entitySubjectIdentifier
>
> Assign this to the local entity (e.g. with UI), and give the string value 
> which is the identifier (with no colons in it).
>
> Then try to authenticate with that value and see if it works.
>
> Let me know
> Thanks,
> Chris
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Mike Roszkowski
> Sent: Tuesday, October 16, 2012 11:14 AM
> To: 
> 
> Subject: [grouper-users] Local entity for WS service account
>
> I'd like to create a "service account" in grouper for an application.
> The app will use web services to access grouper, so needs to be
> able to authenticate via basic auth to the grouper web services.
>
> My first attempt was to use gsh's addSubject("mst-test","application","MST 
> test account")
> and set the loginid, name, and description subject attributes,
> but that doesn't seem to create a subject, as findSubject("mst-test") 
> returns
> // Error: subject not found: mst-test
>
> So, I thought I'd try a local entity. I created one using the Lite UI 
> called:
> control:applications:mst-test
>
> findSubject("control:applications:mst-test") works, but now I'm faced with
> trying to authenticate control:applications:mst-test via tomcat basic
> auth and the colon is an illegal character in basic auth usernames per
> RFC-2617.
>
> Is there a way I can use a local entity to authenticate via basic auth
> to grouper-ws? Or is there another approach I should be using to create
> a "service account?"
>
> Thanks for any help you can offer.
> --Mike Roszkowski
> University of Wisconsin-Madison
>
>
>
>
>
>