Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Grouper Admin Ui and Web Service

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Grouper Admin Ui and Web Service


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "Klug, Lawrence" <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Grouper Admin Ui and Web Service
  • Date: Thu, 18 Oct 2012 16:56:17 +0000
  • Accept-language: en-US

Sorry, that’s a little confusing.  Attributes assigned to the local entity object are done so by assign a group attribute to it (since a local entity is a kind of like a group with no members).  If you did an entity attribute, that would assign to the subject that the group represents which you do not want in this case.

 

So I think the cert is resolving to: urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81

 

Your folder for WS users is etc:wsusers, and you created a local entity inside called wsuser, so the local entity name is etc:wsusers:wsuser, and you have the etc:attribute:entities:entitySubjectIdentifier attribute with value of: urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81

 

Right?

 

Then in GSH you should be able to resolve the subject:

 

GrouperSession.startRootSession();

SubjectFinder.findByIdentifier("urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81");

 

Does that work?

 

Let me know if not and I can try to replicate what you have…

 

Thanks,

Chris

 

 

From: Klug, Lawrence [mailto:]
Sent: Thursday, October 18, 2012 11:58 AM
To: Chris Hyzer
Cc:
Subject: RE: Grouper Admin Ui and Web Service

 

Hi Chris,

 

Testing the Local entity scenario for WS service account.  Created an entity within a directory “etc:wsusers:wsuser” – when I attempted to assign the etc:attribute:entities:entitySubjectIdentifier  attribute I encountered some unexpected behavior.  If I select owner type  “entity” and select “etc:wsusers:wsuser” , I get “no results found” for the entitySubjectIdentifier attribute, and so I can’t assign it.  However, if I select owner type “group”, the entitySubjectIdentifier attribute is assignable.  It seems that Grouper sees it as a Group, not an entity.  Assigned the attribute with name “wslogon” using owner type “group” and assigned value “etc:wsusers:wsuser:wslogon”.  Also configured the pre-pend string.   When I try to authenticate with it, I get the error below, indicating that the subject was not resolved.  What am I doing wrong?

 

Thanks,

 

Lawrence

 

<resultMessage>

clientVersion: 2.0.0, subjectLookups: Array size: 1: [0]: WsSubjectLookup[subjectId=urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81] memberFilter: All, includeGroupDetail: false, actAsSubject: null , params: null fieldName1: null , scope: null, wsStemLookup: WsStemLookup[] , stemScope: null, enabled: null, pageSize: null, pageNumber: null, sortString: null, ascending: null , pointInTimeFrom: null, pointInTimeTo: null, java.lang.RuntimeException: Cant find subject from login id: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:262) at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:801) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectLoggedIn(GrouperServiceJ2ee.java:247) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAsHelper(GrouperServiceJ2ee.java:359) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAs(GrouperServiceJ2ee.java:331) at edu.internet2.middleware.grouper.ws.util.GrouperServiceUtils.retrieveGrouperSession(GrouperServiceUtils.java:847) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroups(GrouperServiceLogic.java:1152) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroupsLite(GrouperServiceLogic.java:1370) at edu.internet2.middleware.grouper.ws.coresoap.GrouperService.getGroupsLite(GrouperService.java:1421) at edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.getGroupsLite(GrouperServiceRest.java:854) at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGetSubject$1.service(GrouperWsRestGetSubject.java:66) at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGet$6.service(GrouperWsRestGet.java:349) at edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$1.service(GrouperRestHttpMethod.java:57) at edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:199) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:660) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662) Caused by: edu.internet2.middleware.subject.SubjectNotFoundException: subject not found: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(SourcesXmlResolver.java:489) at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:530) at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:377) at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:202) at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:160) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:255) ... 30 more

 

 

From: Chris Hyzer []
Sent: Wednesday, October 17, 2012 9:00 AM
To: Klug, Lawrence
Cc:
Subject: RE: Grouper Admin Ui and Web Service

 

Whoops, web.xml section shouldn’t include the session-config at bottom… also, I see that you said SSL WS (for authn).  If the common name (or whatever goes to remote user) doesn’t have special chars or whatever then you don’t need the attribute and value

 

Thanks,

Chris

 

From: On Behalf Of Chris Hyzer
Sent: Wednesday, October 17, 2012 11:56 AM
To: Klug, Lawrence
Cc:
Subject: [grouper-users] RE: Grouper Admin Ui and Web Service

 

> Hi Chris,

>

> I saw the thread about “Local entity for WS service account”

> yesterday.  That approach looks attractive – could we define

> a local entity that could be used for a WS service account and

> resolve to a subject for our Plone project?  We are in QA now –

> we have Grouper  Admin UI shib-protected and Grouper WS SSL

> protected –  just need a service account strategy.  What config

> steps are involved in setting this up?

>

> Thanks,

>

> Lawrence

> 

 

 

Of course.  Are you using SSL client certs for authn, or Kerberos, or user/pass in tomcat or apache?  J

 

Basically, create a folder in your admin folders…  e.g. etc:wsusers

 

Then put the patch in place and rebuild WS:

 

https://bugs.internet2.edu/jira/browse/GRP-856

 

Then create a local entity with the Grouper lite UI in the etc:wsusers folder (or wherever it is)

 

If you want to login name to be the extension of the local entity, you don’t have to do this, otherwise, if you have special chars in your login name which cant be in an extension, then assign the attribute:

 

etc:attribute:entities:entitySubjectIdentifier (or wherever this is located, that is configurable, and this is the default)

 

And put a value on which is the login name.

 

Then set this in the grouper-ws.properties (to whatever folder you use):

 

# prepend this to the logged in user id to help this get resolved by the subject API
# you probably need to do this for local entities and WS logins
ws.security.prependToUserIdForSubjectLookup = etc:wsusers:

 

If you are using tomcat user/pass, put this section in the web.xml, if not, take it out:

 

      <security-constraint>

            <web-resource-collection>

                  <web-resource-name>Web services</web-resource-name>

                  <url-pattern>/services/*</url-pattern>

            </web-resource-collection>

            <auth-constraint>

                  <role-name>grouper_user</role-name>

            </auth-constraint>

      </security-constraint>

 

  <security-constraint>

    <web-resource-collection>

      <web-resource-name>Web services</web-resource-name>

      <url-pattern>/servicesRest/*</url-pattern>

    </web-resource-collection>

    <auth-constraint>

      <!-- NOTE:  This role is not present in the default users file -->

      <role-name>grouper_user</role-name>

    </auth-constraint>

  </security-constraint>

 

      <!-- Define the Login Configuration for this Application -->

      <login-config>

            <auth-method>BASIC</auth-method>

            <realm-name>Grouper Application</realm-name>

      </login-config>

 

      <!-- Security roles referenced by this web application -->

      <security-role>

            <description>

                  The role that is required to log in to web service

            </description>

            <role-name>grouper_user</role-name>

      </security-role>

 

  <session-config>

    <session-timeout>1</session-timeout>

  </session-config>

 

Hmmm, that should be it  J

 

Thanks,

Chris

 




Archive powered by MHonArc 2.6.16.

Top of Page