Grouper Users - Open Discussion List

[Mike Roszkowski <>]

Chris,

We'd be interested in trying the patch. Thanks very much for the help.

--Mike

On 10/16/12 11:14 AM, Chris Hyzer wrote:
> Ok, forgot about that part.  Yes, I think if you have a standard that all 
> users to WS authenticate like this, and all the local entities are in a 
> certain folder, then we could add a tweak to GrouperWS to prepend a namespace 
> to the username before resolving the subject... are you interested in this 
> patch (I could create it and send it to you)?
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: Mike Roszkowski 
> [mailto:]
> Sent: Tuesday, October 16, 2012 11:52 AM
> To: Chris Hyzer
> Cc: 
>
> Subject: Re: [grouper-users] Local entity for WS service account
>
> Thanks for the reply, Chris. I should have mentioned that I did try to do 
> this.
> I used Lite UI to assign the attribute to the local entity, but when I tried
> to assign a value to the attribute, I got this:
>
> Error: Value must start with the entity's folder name: 
> 'control:applications:',
> Exception in save: 
> edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
> edu.internet2.middleware.grouper.hibernate.ByObject@208888e2,
>  Problem in
> HibernateSession: HibernateSession: isNew: false, isReadonly: false, 
> grouperTransactionType:
> READ_WRITE_NEW, Exception in saveOrUpdate: 
> edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
> ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: 
> null, tx type: null,
> Problem in HibernateSession: HibernateSession: isNew: true, isReadonly: 
> false, grouperTransactionType:
> READ_WRITE_NEW, Problem calling method assignAddValueSubmit on
> edu.internet2.middleware.grouper.grouperUi.serviceLogic.SimpleAttributeUpdate
>
> So it will only let me assign a value that also has colons in it, I think.
>
> I did find that the subject-identifier that was generated (a uuid) for the 
> local entity can be used to
> authenticate that account, but it would be nice to give it a more 
> developer-friendly
> name than a 32-character hex string!
>
> --Mike
>
> On 10/16/12 10:32 AM, Chris Hyzer wrote:
> > Local entities can have an attribute which is the subject identifier.
> >
> > This is autocreated for you, depending on your config, might be here:
> >
> > etc:attribute:entities:entitySubjectIdentifier
> >
> > Assign this to the local entity (e.g. with UI), and give the string value 
> > which is the identifier (with no colons in it).
> >
> > Then try to authenticate with that value and see if it works.
> >
> > Let me know
> > Thanks,
> > Chris
> >
> > -----Original Message-----
> > From: 
> >
> >  
> > [mailto:]
> >  On Behalf Of Mike Roszkowski
> > Sent: Tuesday, October 16, 2012 11:14 AM
> > To: 
> >
> > Subject: [grouper-users] Local entity for WS service account
> >
> > I'd like to create a "service account" in grouper for an application.
> > The app will use web services to access grouper, so needs to be
> > able to authenticate via basic auth to the grouper web services.
> >
> > My first attempt was to use gsh's addSubject("mst-test","application","MST test 
> > account")
> > and set the loginid, name, and description subject attributes,
> > but that doesn't seem to create a subject, as findSubject("mst-test") returns
> > // Error: subject not found: mst-test
> >
> > So, I thought I'd try a local entity. I created one using the Lite UI called:
> > control:applications:mst-test
> >
> > findSubject("control:applications:mst-test") works, but now I'm faced with
> > trying to authenticate control:applications:mst-test via tomcat basic
> > auth and the colon is an illegal character in basic auth usernames per
> > RFC-2617.
> >
> > Is there a way I can use a local entity to authenticate via basic auth
> > to grouper-ws? Or is there another approach I should be using to create
> > a "service account?"
> >
> > Thanks for any help you can offer.
> > --Mike Roszkowski
> > University of Wisconsin-Madison