grouper-users - [grouper-users] RE: Grouper Admin Ui and Web Service
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "Klug, Lawrence" <>
- Cc: "" <>
- Subject: [grouper-users] RE: Grouper Admin Ui and Web Service
- Date: Thu, 18 Oct 2012 22:36:43 +0000
- Accept-language: en-US
I thought you were authenticating as
wslogon And that was put in the subject identifier attribute of the entity:
etc:wsusers:wsuser Are you using SSL cert authn at this point, or tomcat user xml? You have nothing in the logs with the 403? Thanks, Chris From: Klug, Lawrence [mailto:]
Okay, some prohress: gsh 8% SubjectFinder.findByIdentifier("etc:wsusers:wsuser"); subject: id='c0529ba90d5c4e26ada21d62da546387' type='application' source='grouperEntities' name='etc :wsusers:wsuser' gsh 9% However, when I run the web service command from the browser, I’m getting HTTP 403 access to the requested resource is denied.
Thanks, Lawrence From:
[]
On Behalf Of Klug, Lawrence Subject still not resolving. Here is what I’m seeing: See this on startup: sources.xml groupersource id: grouperEntities Run this: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); Result: gsh 3% GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: f6cc445df02b4f2e8ca094ae499cd08a,'GrouperSystem','a pplication' gsh 4% SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); // Error: unable to evaluate command: Sourced file: inline evaluation of: ``SubjectFinder.findByIden tifier("etc:wsusers:wslogon");'' : Method Invocation SubjectFinder.findByIdentifier // See error log for full stacktrace // caused by: edu.internet2.middleware.subject.SubjectNotFoundException: // subject not found: etc:wsusers:wslogon gsh 5% Lite UI “View or assign attributes”
Owner group etc:wsusers:wsuser Owner group Attribute name Enabled? Assignment values Attribute definition Assignment UUID wsuser entitySubjectIdentifier enable etc:wsusers:wslogon entitySubjectIdentifierDef 0c287... grouper-ws.properties config: # prepend this to the logged in user id to help this get resolved by the subject API
# you probably need to do this for local entities and WS logins
ws.security.prependToUserIdForSubjectLookup = etc:wsusers: From: Chris Hyzer
I think your prefix should be: etc:wsusers: not etc:wsusers:wsuser: in the grouper-ws.properties, right? Ie. It should be trying to resolve: etc:wsusers:wslogon, not etc:wsusers:wsuser:wslogon… the entitysubjectIdentifier is appended to the folder of the local entity, not the name of the local entity I think… can
you try? Also, try to resolve via GSH: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); Also you should see the source in the output when gsh starts: sources.xml groupersource id: grouperEntities Thanks, Chris From: Klug, Lawrence
Chris, The WS call that generated the error: Error: “Cant find subject from login id: etc:wsusers:wsuser:wslogon” urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 is the Subject that was passed as a query parameter. This is not the Subject used for authentication. I want to use the local entity to authenticate. I’m trying to create a service account that will resolve to a Subject
that does not have to exist in LDAP – make sense? Thanks, Lawrence From: Chris Hyzer []
Sorry, that’s a little confusing. Attributes assigned to the local entity object are done so by assign a group attribute to it (since a local entity is a kind of like a group with no members). If you did an
entity attribute, that would assign to the subject that the group represents which you do not want in this case. So I think the cert is resolving to:
urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 Your folder for WS users is etc:wsusers, and you created a local entity inside called wsuser, so the local entity name is etc:wsusers:wsuser, and you have the
etc:attribute:entities:entitySubjectIdentifier attribute with value of:
urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 Right? Then in GSH you should be able to resolve the subject: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81"); Does that work? Let me know if not and I can try to replicate what you have… Thanks, Chris From: Klug, Lawrence
Hi Chris, Testing the Local entity scenario for WS service account. Created an entity within a directory “etc:wsusers:wsuser” – when I attempted to assign the etc:attribute:entities:entitySubjectIdentifier
attribute I encountered some unexpected behavior. If I select owner type “entity” and select “etc:wsusers:wsuser” , I get “no results found” for the entitySubjectIdentifier attribute, and so I can’t assign it. However, if I select owner type “group”, the
entitySubjectIdentifier attribute is assignable. It seems that Grouper sees it as a Group, not an entity. Assigned the attribute with name “wslogon” using owner type “group” and assigned value “etc:wsusers:wsuser:wslogon”.
Also configured the pre-pend string. When I try to authenticate with it, I get the error below, indicating that the subject was not resolved. What am I doing wrong? Thanks, Lawrence <resultMessage> clientVersion: 2.0.0, subjectLookups: Array size: 1: [0]: WsSubjectLookup[subjectId=urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81] memberFilter: All,
includeGroupDetail: false, actAsSubject: null , params: null fieldName1: null , scope: null, wsStemLookup: WsStemLookup[] , stemScope: null, enabled: null, pageSize: null, pageNumber: null, sortString: null, ascending: null , pointInTimeFrom: null, pointInTimeTo:
null, java.lang.RuntimeException: Cant find subject from login id: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:262) at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:801)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectLoggedIn(GrouperServiceJ2ee.java:247) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAsHelper(GrouperServiceJ2ee.java:359) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAs(GrouperServiceJ2ee.java:331)
at edu.internet2.middleware.grouper.ws.util.GrouperServiceUtils.retrieveGrouperSession(GrouperServiceUtils.java:847) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroups(GrouperServiceLogic.java:1152) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroupsLite(GrouperServiceLogic.java:1370)
at edu.internet2.middleware.grouper.ws.coresoap.GrouperService.getGroupsLite(GrouperService.java:1421) at edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.getGroupsLite(GrouperServiceRest.java:854) at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGetSubject$1.service(GrouperWsRestGetSubject.java:66)
at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGet$6.service(GrouperWsRestGet.java:349) at edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$1.service(GrouperRestHttpMethod.java:57) at edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:660) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at
java.lang.Thread.run(Thread.java:662) Caused by: edu.internet2.middleware.subject.SubjectNotFoundException: subject not found: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(SourcesXmlResolver.java:489)
at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:530) at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:377) at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:202)
at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:160) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:255) ... 30 more From: Chris Hyzer []
Whoops, web.xml section shouldn’t include the session-config at bottom… also, I see that you said SSL WS (for authn). If the common name (or whatever goes to remote user) doesn’t have special chars or whatever
then you don’t need the attribute and value Thanks, Chris From:
On Behalf Of Chris Hyzer > Hi Chris, > > I saw the thread about “Local entity for WS service account”
> yesterday. That approach looks attractive – could we define
> a local entity that could be used for a WS service account and
> resolve to a subject for our Plone project? We are in QA now –
> we have Grouper Admin UI shib-protected and Grouper WS SSL
> protected – just need a service account strategy. What config
> steps are involved in setting this up? > > Thanks, > > Lawrence > Of course. Are you using SSL client certs for authn, or Kerberos, or user/pass in tomcat or apache?
J Basically, create a folder in your admin folders… e.g. etc:wsusers Then put the patch in place and rebuild WS: https://bugs.internet2.edu/jira/browse/GRP-856 Then create a local entity with the Grouper lite UI in the etc:wsusers folder (or wherever it is) If you want to login name to be the extension of the local entity, you don’t have to do this, otherwise, if you have special chars in your login name which cant be in an extension, then assign the attribute: etc:attribute:entities:entitySubjectIdentifier (or wherever this is located, that is configurable, and this is the default) And put a value on which is the login name. Then set this in the grouper-ws.properties (to whatever folder you use): # prepend this to the logged in user id to help this get resolved by the subject API
If you are using tomcat user/pass, put this section in the web.xml, if not, take it out:
<security-constraint>
<web-resource-collection>
<web-resource-name>Web
services</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>grouper_user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web
services</web-resource-name>
<url-pattern>/servicesRest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>grouper_user</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Grouper
Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description> The role that is required to log in to web service
</description>
<role-name>grouper_user</role-name>
</security-role>
<session-config>
<session-timeout>1</session-timeout>
</session-config> Hmmm, that should be it
J Thanks, Chris |
- [grouper-users] Grouper Admin Ui and Web Service, Klug, Lawrence, 10/15/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/15/2012
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/19/2012
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/15/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
Archive powered by MHonArc 2.6.16.