Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Grouper Admin Ui and Web Service

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Grouper Admin Ui and Web Service


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "Klug, Lawrence" <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Grouper Admin Ui and Web Service
  • Date: Wed, 17 Oct 2012 16:00:15 +0000
  • Accept-language: en-US

Whoops, web.xml section shouldn’t include the session-config at bottom… also, I see that you said SSL WS (for authn).  If the common name (or whatever goes to remote user) doesn’t have special chars or whatever then you don’t need the attribute and value

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Chris Hyzer
Sent: Wednesday, October 17, 2012 11:56 AM
To: Klug, Lawrence
Cc:
Subject: [grouper-users] RE: Grouper Admin Ui and Web Service

 

> Hi Chris,

>

> I saw the thread about “Local entity for WS service account”

> yesterday.  That approach looks attractive – could we define

> a local entity that could be used for a WS service account and

> resolve to a subject for our Plone project?  We are in QA now –

> we have Grouper  Admin UI shib-protected and Grouper WS SSL

> protected –  just need a service account strategy.  What config

> steps are involved in setting this up?

>

> Thanks,

>

> Lawrence

> 

 

 

Of course.  Are you using SSL client certs for authn, or Kerberos, or user/pass in tomcat or apache?  J

 

Basically, create a folder in your admin folders…  e.g. etc:wsusers

 

Then put the patch in place and rebuild WS:

 

https://bugs.internet2.edu/jira/browse/GRP-856

 

Then create a local entity with the Grouper lite UI in the etc:wsusers folder (or wherever it is)

 

If you want to login name to be the extension of the local entity, you don’t have to do this, otherwise, if you have special chars in your login name which cant be in an extension, then assign the attribute:

 

etc:attribute:entities:entitySubjectIdentifier (or wherever this is located, that is configurable, and this is the default)

 

And put a value on which is the login name.

 

Then set this in the grouper-ws.properties (to whatever folder you use):

 

# prepend this to the logged in user id to help this get resolved by the subject API
# you probably need to do this for local entities and WS logins
ws.security.prependToUserIdForSubjectLookup = etc:wsusers:

 

If you are using tomcat user/pass, put this section in the web.xml, if not, take it out:

 

      <security-constraint>

            <web-resource-collection>

                  <web-resource-name>Web services</web-resource-name>

                  <url-pattern>/services/*</url-pattern>

            </web-resource-collection>

            <auth-constraint>

                  <role-name>grouper_user</role-name>

            </auth-constraint>

      </security-constraint>

 

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>Web services</web-resource-name>

      <url-pattern>/servicesRest/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

      <!-- NOTE:  This role is not present in the default users file -->

      <role-name>grouper_user</role-name>

    </auth-constraint>

  </security-constraint>

 

      <!-- Define the Login Configuration for this Application -->

      <login-config>

            <auth-method>BASIC</auth-method>

            <realm-name>Grouper Application</realm-name>

      </login-config>

 

      <!-- Security roles referenced by this web application -->

      <security-role>

            <description>

                  The role that is required to log in to web service

            </description>

            <role-name>grouper_user</role-name>

      </security-role>

 

  <session-config>

    <session-timeout>1</session-timeout>

  </session-config>

 

Hmmm, that should be it  J

 

Thanks,

Chris

 




Archive powered by MHonArc 2.6.16.

Top of Page