grouper-users - [grouper-users] RE: Grouper Admin Ui and Web Service
Subject: Grouper Users - Open Discussion List
List archive
- From: "Klug, Lawrence" <>
- To: Chris Hyzer <>
- Cc: "" <>
- Subject: [grouper-users] RE: Grouper Admin Ui and Web Service
- Date: Fri, 19 Oct 2012 15:53:57 +0000
- Accept-language: en-US
Hi Chris, Applied the patch to my Maven project – and yes, I was able to duplicate your results in GSH: gsh 0% GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 95c72d2ba9144e10b324aabbc93bea5f,'GrouperSystem','a pplication' gsh 1% SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); subject: id='c0529ba90d5c4e26ada21d62da546387' type='application' source='grouperEntities' name='etc :wsusers:wsuser' gsh 2% SubjectFinder.findByIdentifier("etc:wsusers:wsuser"); subject: id='c0529ba90d5c4e26ada21d62da546387' type='application' source='grouperEntities' name='etc :wsusers:wsuser' gsh 3% And yes, I was able to authenticate Grouper WS and return a successful query. Excellent! Thanks, Lawrence From: Chris Hyzer [mailto:]
Argh, there was a bug in findByIdentifier() for entities where the attributeentitySubjectIdentifier was assigned https://bugs.internet2.edu/jira/browse/GRP-857 If you want to try that patch in the jira, things should work here… here is an example: I created a local entity: Then I assigned an identifier attribute to the local entity Then I can resolve the subject two ways: gsh 0% GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 0b559b39faee45cca232dfc2be91e390,'GrouperSystem','application' gsh 1% SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); subject: id='fc31009ff5ef4e9e84e9f7e2ec369f73' type='application' source='grouperEntities' name='etc:wsusers:wsuser'
gsh 2% SubjectFinder.findByIdentifier("etc:wsusers:wsuser"); subject: id='fc31009ff5ef4e9e84e9f7e2ec369f73' type='application' source='grouperEntities' name='etc:wsusers:wsuser'
gsh 3% Then it should work on the WS…
J Let me know how it goes. Thanks, Chris From: Klug, Lawrence
I’m using tomcat user xml. I’ve been trying various combinations - sorry about the confusion. But now that I’m seeing the entity as a subject – it’s a step forward: gsh 4% new EntityFinder().addName("etc:wsusers:wsuser").findEntities(); group: name='etc:wsusers:wsuser' displayName='etc:wsusers:wsuser' uuid='c0529ba90d5c4e26ada21d62da54 6387' Don’t see anything in the logs so far. From: Chris Hyzer []
I thought you were authenticating as
wslogon And that was put in the subject identifier attribute of the entity: etc:wsusers:wsuser Are you using SSL cert authn at this point, or tomcat user xml? You have nothing in the logs with the 403? Thanks, Chris From: Klug, Lawrence
Okay, some prohress: gsh 8% SubjectFinder.findByIdentifier("etc:wsusers:wsuser"); subject: id='c0529ba90d5c4e26ada21d62da546387' type='application' source='grouperEntities' name='etc :wsusers:wsuser' gsh 9% However, when I run the web service command from the browser, I’m getting HTTP 403 access to the requested resource is denied.
Thanks, Lawrence From:
[]
On Behalf Of Klug, Lawrence Subject still not resolving. Here is what I’m seeing: See this on startup: sources.xml groupersource id: grouperEntities Run this: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); Result: gsh 3% GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: f6cc445df02b4f2e8ca094ae499cd08a,'GrouperSystem','a pplication' gsh 4% SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); // Error: unable to evaluate command: Sourced file: inline evaluation of: ``SubjectFinder.findByIden tifier("etc:wsusers:wslogon");'' : Method Invocation SubjectFinder.findByIdentifier // See error log for full stacktrace // caused by: edu.internet2.middleware.subject.SubjectNotFoundException: // subject not found: etc:wsusers:wslogon gsh 5% Lite UI “View or assign attributes”
Owner group etc:wsusers:wsuser Owner group Attribute name Enabled? Assignment values Attribute definition Assignment UUID wsuser entitySubjectIdentifier enable etc:wsusers:wslogon entitySubjectIdentifierDef 0c287... grouper-ws.properties config: # prepend this to the logged in user id to help this get resolved by the subject API
# you probably need to do this for local entities and WS logins
ws.security.prependToUserIdForSubjectLookup = etc:wsusers: From: Chris Hyzer
I think your prefix should be: etc:wsusers: not etc:wsusers:wsuser: in the grouper-ws.properties, right? Ie. It should be trying to resolve: etc:wsusers:wslogon, not etc:wsusers:wsuser:wslogon… the entitysubjectIdentifier is appended to the folder of the local entity, not the name of the local entity I think… can
you try? Also, try to resolve via GSH: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("etc:wsusers:wslogon"); Also you should see the source in the output when gsh starts: sources.xml groupersource id: grouperEntities Thanks, Chris From: Klug, Lawrence
Chris, The WS call that generated the error: Error: “Cant find subject from login id: etc:wsusers:wsuser:wslogon” urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 is the Subject that was passed as a query parameter. This is not the Subject used for authentication. I want to use the local entity to authenticate. I’m trying to create a service account that will resolve to a Subject
that does not have to exist in LDAP – make sense? Thanks, Lawrence From: Chris Hyzer []
Sorry, that’s a little confusing. Attributes assigned to the local entity object are done so by assign a group attribute to it (since a local entity is a kind of like a group with no members). If you did an
entity attribute, that would assign to the subject that the group represents which you do not want in this case. So I think the cert is resolving to:
urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 Your folder for WS users is etc:wsusers, and you created a local entity inside called wsuser, so the local entity name is etc:wsusers:wsuser, and you have the
etc:attribute:entities:entitySubjectIdentifier attribute with value of:
urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81 Right? Then in GSH you should be able to resolve the subject: GrouperSession.startRootSession(); SubjectFinder.findByIdentifier("urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81"); Does that work? Let me know if not and I can try to replicate what you have… Thanks, Chris From: Klug, Lawrence
Hi Chris, Testing the Local entity scenario for WS service account. Created an entity within a directory “etc:wsusers:wsuser” – when I attempted to assign the etc:attribute:entities:entitySubjectIdentifier
attribute I encountered some unexpected behavior. If I select owner type “entity” and select “etc:wsusers:wsuser” , I get “no results found” for the entitySubjectIdentifier attribute, and so I can’t assign it. However, if I select owner type “group”, the
entitySubjectIdentifier attribute is assignable. It seems that Grouper sees it as a Group, not an entity. Assigned the attribute with name “wslogon” using owner type “group” and assigned value “etc:wsusers:wsuser:wslogon”.
Also configured the pre-pend string. When I try to authenticate with it, I get the error below, indicating that the subject was not resolved. What am I doing wrong? Thanks, Lawrence <resultMessage> clientVersion: 2.0.0, subjectLookups: Array size: 1: [0]: WsSubjectLookup[subjectId=urn:mace:ucla.edu:ppid:person:D7BED25A41E442EFBE721496196E0A81] memberFilter: All,
includeGroupDetail: false, actAsSubject: null , params: null fieldName1: null , scope: null, wsStemLookup: WsStemLookup[] , stemScope: null, enabled: null, pageSize: null, pageNumber: null, sortString: null, ascending: null , pointInTimeFrom: null, pointInTimeTo:
null, java.lang.RuntimeException: Cant find subject from login id: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:262) at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:801)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectLoggedIn(GrouperServiceJ2ee.java:247) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAsHelper(GrouperServiceJ2ee.java:359) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.retrieveSubjectActAs(GrouperServiceJ2ee.java:331)
at edu.internet2.middleware.grouper.ws.util.GrouperServiceUtils.retrieveGrouperSession(GrouperServiceUtils.java:847) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroups(GrouperServiceLogic.java:1152) at edu.internet2.middleware.grouper.ws.GrouperServiceLogic.getGroupsLite(GrouperServiceLogic.java:1370)
at edu.internet2.middleware.grouper.ws.coresoap.GrouperService.getGroupsLite(GrouperService.java:1421) at edu.internet2.middleware.grouper.ws.rest.GrouperServiceRest.getGroupsLite(GrouperServiceRest.java:854) at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGetSubject$1.service(GrouperWsRestGetSubject.java:66)
at edu.internet2.middleware.grouper.ws.rest.method.GrouperWsRestGet$6.service(GrouperWsRestGet.java:349) at edu.internet2.middleware.grouper.ws.rest.method.GrouperRestHttpMethod$1.service(GrouperRestHttpMethod.java:57) at edu.internet2.middleware.grouper.ws.rest.GrouperRestServlet.service(GrouperRestServlet.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee.doFilter(GrouperServiceJ2ee.java:660) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at
java.lang.Thread.run(Thread.java:662) Caused by: edu.internet2.middleware.subject.SubjectNotFoundException: subject not found: etc:wsusers:wsuser:wslogon at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(SourcesXmlResolver.java:489)
at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:530) at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:377) at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:202)
at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:160) at edu.internet2.middleware.grouper.ws.GrouperServiceJ2ee$1.callback(GrouperServiceJ2ee.java:255) ... 30 more From: Chris Hyzer []
Whoops, web.xml section shouldn’t include the session-config at bottom… also, I see that you said SSL WS (for authn). If the common name (or whatever goes to remote user) doesn’t have special chars or whatever
then you don’t need the attribute and value Thanks, Chris From:
On Behalf Of Chris Hyzer > Hi Chris, > > I saw the thread about “Local entity for WS service account”
> yesterday. That approach looks attractive – could we define
> a local entity that could be used for a WS service account and
> resolve to a subject for our Plone project? We are in QA now –
> we have Grouper Admin UI shib-protected and Grouper WS SSL
> protected – just need a service account strategy. What config
> steps are involved in setting this up? > > Thanks, > > Lawrence > Of course. Are you using SSL client certs for authn, or Kerberos, or user/pass in tomcat or apache?
J Basically, create a folder in your admin folders… e.g. etc:wsusers Then put the patch in place and rebuild WS: https://bugs.internet2.edu/jira/browse/GRP-856 Then create a local entity with the Grouper lite UI in the etc:wsusers folder (or wherever it is) If you want to login name to be the extension of the local entity, you don’t have to do this, otherwise, if you have special chars in your login name which cant be in an extension, then assign the attribute: etc:attribute:entities:entitySubjectIdentifier (or wherever this is located, that is configurable, and this is the default) And put a value on which is the login name. Then set this in the grouper-ws.properties (to whatever folder you use): # prepend this to the logged in user id to help this get resolved by the subject API
If you are using tomcat user/pass, put this section in the web.xml, if not, take it out:
<security-constraint>
<web-resource-collection>
<web-resource-name>Web
services</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>grouper_user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web
services</web-resource-name>
<url-pattern>/servicesRest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>grouper_user</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Grouper
Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description> The role that is required to log in to web service
</description>
<role-name>grouper_user</role-name>
</security-role>
<session-config>
<session-timeout>1</session-timeout>
</session-config> Hmmm, that should be it
J Thanks, Chris |
- [grouper-users] RE: Grouper Admin Ui and Web Service, (continued)
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/18/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/19/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Chris Hyzer, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
- [grouper-users] RE: Grouper Admin Ui and Web Service, Klug, Lawrence, 10/17/2012
Archive powered by MHonArc 2.6.16.