Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Local entity for WS service account

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Local entity for WS service account


Chronological Thread 
  • From: Mike Roszkowski <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Local entity for WS service account
  • Date: Tue, 16 Oct 2012 12:21:14 -0500

Chris,

We'd be interested in trying the patch. Thanks very much for the help.

--Mike

On 10/16/12 11:14 AM, Chris Hyzer wrote:
Ok, forgot about that part. Yes, I think if you have a standard that all
users to WS authenticate like this, and all the local entities are in a
certain folder, then we could add a tweak to GrouperWS to prepend a namespace
to the username before resolving the subject... are you interested in this
patch (I could create it and send it to you)?

Thanks,
Chris

-----Original Message-----
From: Mike Roszkowski
[mailto:]
Sent: Tuesday, October 16, 2012 11:52 AM
To: Chris Hyzer
Cc:

Subject: Re: [grouper-users] Local entity for WS service account

Thanks for the reply, Chris. I should have mentioned that I did try to do
this.
I used Lite UI to assign the attribute to the local entity, but when I tried
to assign a value to the attribute, I got this:

Error: Value must start with the entity's folder name:
'control:applications:',
Exception in save:
edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
edu.internet2.middleware.grouper.hibernate.ByObject@208888e2,
Problem in
HibernateSession: HibernateSession: isNew: false, isReadonly: false,
grouperTransactionType:
READ_WRITE_NEW, Exception in saveOrUpdate:
edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName:
null, tx type: null,
Problem in HibernateSession: HibernateSession: isNew: true, isReadonly:
false, grouperTransactionType:
READ_WRITE_NEW, Problem calling method assignAddValueSubmit on
edu.internet2.middleware.grouper.grouperUi.serviceLogic.SimpleAttributeUpdate

So it will only let me assign a value that also has colons in it, I think.

I did find that the subject-identifier that was generated (a uuid) for the
local entity can be used to
authenticate that account, but it would be nice to give it a more
developer-friendly
name than a 32-character hex string!

--Mike

On 10/16/12 10:32 AM, Chris Hyzer wrote:
Local entities can have an attribute which is the subject identifier.

This is autocreated for you, depending on your config, might be here:

etc:attribute:entities:entitySubjectIdentifier

Assign this to the local entity (e.g. with UI), and give the string value
which is the identifier (with no colons in it).

Then try to authenticate with that value and see if it works.

Let me know
Thanks,
Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Mike Roszkowski
Sent: Tuesday, October 16, 2012 11:14 AM
To:

Subject: [grouper-users] Local entity for WS service account

I'd like to create a "service account" in grouper for an application.
The app will use web services to access grouper, so needs to be
able to authenticate via basic auth to the grouper web services.

My first attempt was to use gsh's addSubject("mst-test","application","MST test
account")
and set the loginid, name, and description subject attributes,
but that doesn't seem to create a subject, as findSubject("mst-test") returns
// Error: subject not found: mst-test

So, I thought I'd try a local entity. I created one using the Lite UI called:
control:applications:mst-test

findSubject("control:applications:mst-test") works, but now I'm faced with
trying to authenticate control:applications:mst-test via tomcat basic
auth and the colon is an illegal character in basic auth usernames per
RFC-2617.

Is there a way I can use a local entity to authenticate via basic auth
to grouper-ws? Or is there another approach I should be using to create
a "service account?"

Thanks for any help you can offer.
--Mike Roszkowski
University of Wisconsin-Madison













Archive powered by MHonArc 2.6.16.

Top of Page