grouper-users - [grouper-users] RE: Still trying to CASify Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "Bryan E. Wooten" <>, "" <>
- Subject: [grouper-users] RE: Still trying to CASify Grouper
- Date: Thu, 4 Apr 2013 18:07:17 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
|
First off [disclaimer… this is probably a dumb question, Im not a CAS user…] I would like someone to remind me why we have CAS authentication client code in the Grouper UI. Shouldn’t the ideal architecture be
to authenticate with a web server plugin? So if mod_auth_cas exists, why would people not want to use that instead of the client code in the Grouper UI? Then it is more like Shib or Cosign or whatever which are easier to integrate and maintain (I think)
than the CAS client in the Grouper UI. Ok, about the debug info… You can add some in if you don’t mind building again… I added some in to 2.1.4 just now (its below): To use this, add this to the log4j.properties: log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG Example output: 2013-04-04 13:34:15,304: [http-8088-2] DEBUG GrouperUiFilter.remoteUser(548) - - httpServletRequest.getRemoteUser(): GrouperSystem, remoteUser
overall: GrouperSystem GrouperUiFilter.java FROM:
/** *
*
@param httpServletRequest *
@return user name */
public
static String remoteUser(HttpServletRequest httpServletRequest) { String remoteUser = httpServletRequest.getRemoteUser();
if
(StringUtils.isBlank(remoteUser)) {
//this is how mod_jk passes env vars remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER"); }
if
(StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() !=
null) {
//this is how mod_jk passes env vars remoteUser = httpServletRequest.getUserPrincipal().getName(); }
if (StringUtils.isBlank(remoteUser)) { HttpSession session = httpServletRequest.getSession(false); remoteUser = (String)(session ==
null ?
null : session.getAttribute("authUser")); }
remoteUser = StringUtils.trim(remoteUser);
httpServletRequest.getSession().setAttribute("grouperLoginId",
remoteUser);
return
remoteUser; } TO:
/** *
*
@param httpServletRequest *
@return user name */
public
static String remoteUser(HttpServletRequest httpServletRequest) {
Map<String, Object>
debugLog = LOG.isDebugEnabled() ?
new LinkedHashMap<String, Object>() :
null;
try { String remoteUser = httpServletRequest.getRemoteUser();
if
(LOG.isDebugEnabled()) {
debugLog.put("httpServletRequest.getRemoteUser()",
remoteUser); }
if
(StringUtils.isBlank(remoteUser)) {
//this is how mod_jk passes env vars remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER");
if (LOG.isDebugEnabled())
{
debugLog.put("REMOTE_USER attribute", remoteUser); } }
if
(StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() !=
null) {
//this is how mod_jk passes env vars remoteUser = httpServletRequest.getUserPrincipal().getName();
if (LOG.isDebugEnabled())
{
debugLog.put("httpServletRequest.getUserPrincipal().getName()",
remoteUser); } }
if (StringUtils.isBlank(remoteUser)) { HttpSession session = httpServletRequest.getSession(false); remoteUser = (String)(session ==
null ?
null : session.getAttribute("authUser"));
if (LOG.isDebugEnabled())
{
debugLog.put("session.getAttribute(authUser)",
remoteUser); } }
remoteUser = StringUtils.trim(remoteUser);
httpServletRequest.getSession().setAttribute("grouperLoginId",
remoteUser);
if (LOG.isDebugEnabled())
{
debugLog.put("remoteUser overall", remoteUser); }
return remoteUser; }
finally {
if (LOG.isDebugEnabled())
{
LOG.debug(GrouperUtil.mapToString(debugLog)); } } } From: [mailto:]
On Behalf Of Bryan E. Wooten I found this thread from a while back: https://lists.internet2.edu/sympa/arc/grouper-users/2011-09/msg00022.html Where Chris said: “Grouper just gets the ID from REMOTE_USER, so it doesn’t know which source its in, so it checks them all. It cant exist in multiple. Either you need to determine which other
source besides g:isa (grouper internal source adapter) GrouperSystem is in, and remove it, or maybe you could use a real user account, add them to the wheel group, and that is equivalent to using GrouperSystem… generally you only need to login with GrouperSystem
to bootstrap, but not for steadystate operation. Ok? “ Based on the above statement I would expect to see a search request going to my LDAP server since I have an LDAP source. I also have a jdbc source which is pointing to the HSQL DB. Watching its
log I don’t see any query either. My best guess is that Grouper isn’t finding a REMOTE_USER, but I have my CAS filters set to provide that. Is there a way to get Grouper to log what it thinks the remote user is? Looking at the GrouperUiFilter.java remoteUser method there doesn’t seem to be any debug logging. Any ideas on how I can further trouble shoot this? Thanks, Bryan |
- [grouper-users] Still trying to CASify Grouper, Bryan E. Wooten, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Chris Hyzer, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Bryan E. Wooten, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Bryan E. Wooten, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Chris Hyzer, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Bryan E. Wooten, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Chris Hyzer, 04/04/2013
- <Possible follow-up(s)>
- RE: [grouper-users] Still trying to CASify Grouper, Gagné Sébastien, 04/04/2013
- [grouper-users] RE: Still trying to CASify Grouper, Chris Hyzer, 04/04/2013
Archive powered by MHonArc 2.6.16.