Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Local entity for WS service account

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Local entity for WS service account


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Mike Roszkowski <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Local entity for WS service account
  • Date: Tue, 16 Oct 2012 18:50:07 +0000
  • Accept-language: en-US

Try the patch in this jira:

https://bugs.internet2.edu/jira/browse/GRP-856

Thanks,
Chris

-----Original Message-----
From: Mike Roszkowski
[mailto:]

Sent: Tuesday, October 16, 2012 1:21 PM
To: Chris Hyzer
Cc:

Subject: Re: [grouper-users] Local entity for WS service account

Chris,

We'd be interested in trying the patch. Thanks very much for the help.

--Mike

On 10/16/12 11:14 AM, Chris Hyzer wrote:
> Ok, forgot about that part. Yes, I think if you have a standard that all
> users to WS authenticate like this, and all the local entities are in a
> certain folder, then we could add a tweak to GrouperWS to prepend a
> namespace to the username before resolving the subject... are you
> interested in this patch (I could create it and send it to you)?
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: Mike Roszkowski
> [mailto:]
> Sent: Tuesday, October 16, 2012 11:52 AM
> To: Chris Hyzer
> Cc:
>
> Subject: Re: [grouper-users] Local entity for WS service account
>
> Thanks for the reply, Chris. I should have mentioned that I did try to do
> this.
> I used Lite UI to assign the attribute to the local entity, but when I tried
> to assign a value to the attribute, I got this:
>
> Error: Value must start with the entity's folder name:
> 'control:applications:',
> Exception in save:
> edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
> edu.internet2.middleware.grouper.hibernate.ByObject@208888e2,
> Problem in
> HibernateSession: HibernateSession: isNew: false, isReadonly: false,
> grouperTransactionType:
> READ_WRITE_NEW, Exception in saveOrUpdate:
> edu.internet2.middleware.grouper.attr.value.AttributeAssignValue,
> ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName:
> null, tx type: null,
> Problem in HibernateSession: HibernateSession: isNew: true, isReadonly:
> false, grouperTransactionType:
> READ_WRITE_NEW, Problem calling method assignAddValueSubmit on
> edu.internet2.middleware.grouper.grouperUi.serviceLogic.SimpleAttributeUpdate
>
> So it will only let me assign a value that also has colons in it, I think.
>
> I did find that the subject-identifier that was generated (a uuid) for the
> local entity can be used to
> authenticate that account, but it would be nice to give it a more
> developer-friendly
> name than a 32-character hex string!
>
> --Mike
>
> On 10/16/12 10:32 AM, Chris Hyzer wrote:
>> Local entities can have an attribute which is the subject identifier.
>>
>> This is autocreated for you, depending on your config, might be here:
>>
>> etc:attribute:entities:entitySubjectIdentifier
>>
>> Assign this to the local entity (e.g. with UI), and give the string value
>> which is the identifier (with no colons in it).
>>
>> Then try to authenticate with that value and see if it works.
>>
>> Let me know
>> Thanks,
>> Chris
>>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Mike Roszkowski
>> Sent: Tuesday, October 16, 2012 11:14 AM
>> To:
>>
>> Subject: [grouper-users] Local entity for WS service account
>>
>> I'd like to create a "service account" in grouper for an application.
>> The app will use web services to access grouper, so needs to be
>> able to authenticate via basic auth to the grouper web services.
>>
>> My first attempt was to use gsh's addSubject("mst-test","application","MST
>> test account")
>> and set the loginid, name, and description subject attributes,
>> but that doesn't seem to create a subject, as findSubject("mst-test")
>> returns
>> // Error: subject not found: mst-test
>>
>> So, I thought I'd try a local entity. I created one using the Lite UI
>> called:
>> control:applications:mst-test
>>
>> findSubject("control:applications:mst-test") works, but now I'm faced with
>> trying to authenticate control:applications:mst-test via tomcat basic
>> auth and the colon is an illegal character in basic auth usernames per
>> RFC-2617.
>>
>> Is there a way I can use a local entity to authenticate via basic auth
>> to grouper-ws? Or is there another approach I should be using to create
>> a "service account?"
>>
>> Thanks for any help you can offer.
>> --Mike Roszkowski
>> University of Wisconsin-Madison
>>
>>
>>
>>
>>
>>
>
>
>




Archive powered by MHonArc 2.6.16.

Top of Page