Grouper Users - Open Discussion List

[Gagné Sébastien <>]

Your struts-config looks good, although we removed the old lines instead of commenting it, but I don’t think it would matter.

 

We are using the provided Yale client, I had no experience with it too, but it simply worked when I followed the wiki’s instructions so I left it like that.

 

 

De : [mailto:] De la part de Bryan E. Wooten
Envoyé : 4 avril 2013 15:02
À : Chris Hyzer;
Objet : [grouper-users] RE: Still trying to CASify Grouper

 

Thanks Chris,

 

I am using the quick install. I haven’t set my environment to actually build the UI. I’ll need to get on that.

 

I could use mod_auth_cas and front my grouper Tomcat with Apache but is more work. I should note that I am using the Jasig CAS client and not the Yale client. The Yale client is deprecated and no longer supported, plus I have no experience with it. Modifying the web.xml to include the JASIG CAS client is straight forward and is how we CASified Peoplesoft.

 

We modified the internet2spons.jsp to display remote user:

<>

      <div id="internet2">

        <grouper:message key="internet2.sponsored.by" /><br /><br/>

        <a href=""http://internet2.edu" target="_blank"><img

        src=""grouper/images/internet2.gif"" alt="Internet2" style="border: 0px"/></a>

 

<br>

Remote user: <%= request.getRemoteUser() %>

<br>

 

 

      </div>

 

After I log into Grouper via CAS I see this on the populateIndex.do page:

 

<div id="internet2">

        Grouper is sponsored by<br /><br/>

        <a href=""http://internet2.edu" target="_blank"><img

        src=""grouper/images/internet2.gif" alt="Internet2" style="border: 0px"/></a>

 

<br>

Remote user: u0519980

<br>

 

 

      </div>

 

Perhaps there is something wrong with my struts-config.xml?

 

<forward name="Groups" path="/populateMyGroups.do" redirect="false"/>

                <forward name="Index" path="/populateIndex.do" redirect="true"/>

                <!-- CAS Login -->

        <!--

                <forward name="Login" path="/login.do" redirect="true"/>

        -->

        <forward name="Login" path="/home.do" redirect="true"/>

 

 

And

 

<action path="/callLogin" scope="request"

            type="edu.internet2.middleware.grouper.ui.actions.CallLoginAction"

            unknown="false" validate="false">

  <!--

      <forward name="callLogin" path="/login.do" redirect="true"/>

   -->

  <!--    CAS Login change -->

      <forward name="callLogin" path="/home.do" redirect="true"/>

     

    </action>

 

Thanks,

 

Bryan

 

 

From: Chris Hyzer []
Sent: Thursday, April 04, 2013 12:07 PM
To: Bryan E. Wooten;
Subject: RE: Still trying to CASify Grouper

 

First off [disclaimer… this is probably a dumb question, Im not a CAS user…] I would like someone to remind me why we have CAS authentication client code in the Grouper UI.  Shouldn’t the ideal architecture be to authenticate with a web server plugin?  So if mod_auth_cas exists, why would people not want to use that instead of the client code in the Grouper UI?  Then it is more like Shib or Cosign or whatever which are easier to integrate and maintain (I think) than the CAS client in the Grouper UI.

 

Ok, about the debug info…

 

You can add some in if you don’t mind building again… I added some in to 2.1.4 just now (its below):

 

 

To use this, add this to the log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG

 

Example output:

 

2013-04-04 13:34:15,304: [http-8088-2] DEBUG GrouperUiFilter.remoteUser(548) -  - httpServletRequest.getRemoteUser(): GrouperSystem, remoteUser overall: GrouperSystem

 

 

GrouperUiFilter.java

 

FROM:

 

  /**

   *

   * @param httpServletRequest

   * @return user name

   */

  public static String remoteUser(HttpServletRequest httpServletRequest) {

    String remoteUser = httpServletRequest.getRemoteUser();

   

    if (StringUtils.isBlank(remoteUser)) {

      //this is how mod_jk passes env vars

      remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER");

    }

   

    if (StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() != null) {

      //this is how mod_jk passes env vars

      remoteUser = httpServletRequest.getUserPrincipal().getName();

    }

    if (StringUtils.isBlank(remoteUser)) {

      HttpSession session = httpServletRequest.getSession(false);

      remoteUser = (String)(session == null ? null : session.getAttribute("authUser"));

    }

   

    remoteUser = StringUtils.trim(remoteUser);

   

    httpServletRequest.getSession().setAttribute("grouperLoginId", remoteUser);

   

    return remoteUser;

  }

 

TO:

 

  /**

   *

   * @param httpServletRequest

   * @return user name

   */

  public static String remoteUser(HttpServletRequest httpServletRequest) {

   

    Map<String, Object> debugLog = LOG.isDebugEnabled() ? new LinkedHashMap<String, Object>() : null;

    try {

      String remoteUser = httpServletRequest.getRemoteUser();

     

      if (LOG.isDebugEnabled()) {

        debugLog.put("httpServletRequest.getRemoteUser()", remoteUser);

      }

     

      if (StringUtils.isBlank(remoteUser)) {

        //this is how mod_jk passes env vars

        remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER");

        if (LOG.isDebugEnabled()) {

          debugLog.put("REMOTE_USER attribute", remoteUser);

        }

      }

     

      if (StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() != null) {

        //this is how mod_jk passes env vars

        remoteUser = httpServletRequest.getUserPrincipal().getName();

        if (LOG.isDebugEnabled()) {

          debugLog.put("httpServletRequest.getUserPrincipal().getName()", remoteUser);

        }

      }

      if (StringUtils.isBlank(remoteUser)) {

        HttpSession session = httpServletRequest.getSession(false);

        remoteUser = (String)(session == null ? null : session.getAttribute("authUser"));

        if (LOG.isDebugEnabled()) {

          debugLog.put("session.getAttribute(authUser)", remoteUser);

        }

      }

     

      remoteUser = StringUtils.trim(remoteUser);

     

      httpServletRequest.getSession().setAttribute("grouperLoginId", remoteUser);

 

      if (LOG.isDebugEnabled()) {

        debugLog.put("remoteUser overall", remoteUser);

      }

 

      return remoteUser;

    } finally {

      if (LOG.isDebugEnabled()) {

        LOG.debug(GrouperUtil.mapToString(debugLog));

      }

    }

  }

 

 

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Thursday, April 04, 2013 11:51 AM
To:
Subject: [grouper-users] Still trying to CASify Grouper

 

I found this thread from a while back:

https://lists.internet2.edu/sympa/arc/grouper-users/2011-09/msg00022.html

 

Where Chris said: “Grouper just gets the ID from REMOTE_USER, so it doesn’t know which source its in, so it checks them all.  It cant exist in multiple.  Either you need to determine which other source besides g:isa (grouper internal source adapter) GrouperSystem is in, and remove it, or maybe you could use a real user account, add them to the wheel group, and that is equivalent to using GrouperSystem…  generally you only need to login with GrouperSystem to bootstrap, but not for steadystate operation.  Ok? “

 

Based on the above statement I would expect to see a search request going to my LDAP server since I have an LDAP source. I also have a jdbc source which is pointing to the HSQL DB. Watching its log I don’t see any query either.

 

My best guess is that Grouper isn’t finding a REMOTE_USER, but I have my CAS filters set to provide that. Is there a way to get Grouper to log what it thinks the remote user is?

 

Looking at the GrouperUiFilter.java remoteUser method there doesn’t seem to be any debug logging. Any ideas on how I can further trouble shoot this?

 

Thanks,

 

Bryan