Grouper Users - Open Discussion List

["Bryan E. Wooten" <>]

Works! I didn’t put 2 and 2 together and see that where you retrieved remote user was itself in a filter.

 

Thanks all for your help. I will write a document up on how to do this with the JASIG client. To make it really useful I will probably need to modify the build.properties also. So I don’t lose my changes on the next build.

 

-Bryam

 

From: Chris Hyzer [mailto:]
Sent: Thursday, April 04, 2013 2:49 PM
To: Bryan E. Wooten;
Subject: RE: Still trying to CASify Grouper

 

CAS is a filter right?  That filter is above the grouper filter ion the web.xml (CAS needs to be first), right?

 

Thanks,

Chris

 

From: Bryan E. Wooten []
Sent: Thursday, April 04, 2013 4:48 PM
To: Chris Hyzer;
Subject: RE: Still trying to CASify Grouper

 

Well this is the problem,  remote user is NULL:

 

grouper_error.log:2013-04-04 14:47:44,776: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(573) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

grouper_error.log:2013-04-04 14:47:44,808: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(573) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

grouper_error.log:2013-04-04 14:47:46,120: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(573) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

grouper_error.log:2013-04-04 14:47:46,135: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(573) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

grouper_error.log:2013-04-04 14:47:46,142: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(573) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

 

So this looks like a JASIG CAS Client problem. I have never seen this problem before. It is weird that remote use is set correctly on the response though.

 

Off to talk to the CAS guys.

 

Thanks,

 

Bryan

 

From: Chris Hyzer []
Sent: Thursday, April 04, 2013 12:07 PM
To: Bryan E. Wooten;
Subject: RE: Still trying to CASify Grouper

 

First off [disclaimer… this is probably a dumb question, Im not a CAS user…] I would like someone to remind me why we have CAS authentication client code in the Grouper UI.  Shouldn’t the ideal architecture be to authenticate with a web server plugin?  So if mod_auth_cas exists, why would people not want to use that instead of the client code in the Grouper UI?  Then it is more like Shib or Cosign or whatever which are easier to integrate and maintain (I think) than the CAS client in the Grouper UI.

 

Ok, about the debug info…

 

You can add some in if you don’t mind building again… I added some in to 2.1.4 just now (its below):

 

 

To use this, add this to the log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG

 

Example output:

 

2013-04-04 13:34:15,304: [http-8088-2] DEBUG GrouperUiFilter.remoteUser(548) -  - httpServletRequest.getRemoteUser(): GrouperSystem, remoteUser overall: GrouperSystem

 

 

GrouperUiFilter.java

 

FROM:

 

  /**

   *

   * @param httpServletRequest

   * @return user name

   */

  public static String remoteUser(HttpServletRequest httpServletRequest) {

    String remoteUser = httpServletRequest.getRemoteUser();

   

    if (StringUtils.isBlank(remoteUser)) {

      //this is how mod_jk passes env vars

      remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER");

    }

   

    if (StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() != null) {

      //this is how mod_jk passes env vars

      remoteUser = httpServletRequest.getUserPrincipal().getName();

    }

    if (StringUtils.isBlank(remoteUser)) {

      HttpSession session = httpServletRequest.getSession(false);

      remoteUser = (String)(session == null ? null : session.getAttribute("authUser"));

    }

   

    remoteUser = StringUtils.trim(remoteUser);

   

    httpServletRequest.getSession().setAttribute("grouperLoginId", remoteUser);

   

    return remoteUser;

  }

 

TO:

 

  /**

   *

   * @param httpServletRequest

   * @return user name

   */

  public static String remoteUser(HttpServletRequest httpServletRequest) {

   

    Map<String, Object> debugLog = LOG.isDebugEnabled() ? new LinkedHashMap<String, Object>() : null;

    try {

      String remoteUser = httpServletRequest.getRemoteUser();

     

      if (LOG.isDebugEnabled()) {

        debugLog.put("httpServletRequest.getRemoteUser()", remoteUser);

      }

     

      if (StringUtils.isBlank(remoteUser)) {

        //this is how mod_jk passes env vars

        remoteUser = (String)httpServletRequest.getAttribute("REMOTE_USER");

        if (LOG.isDebugEnabled()) {

          debugLog.put("REMOTE_USER attribute", remoteUser);

        }

      }

     

      if (StringUtils.isBlank(remoteUser) && httpServletRequest.getUserPrincipal() != null) {

        //this is how mod_jk passes env vars

        remoteUser = httpServletRequest.getUserPrincipal().getName();

        if (LOG.isDebugEnabled()) {

          debugLog.put("httpServletRequest.getUserPrincipal().getName()", remoteUser);

        }

      }

      if (StringUtils.isBlank(remoteUser)) {

        HttpSession session = httpServletRequest.getSession(false);

        remoteUser = (String)(session == null ? null : session.getAttribute("authUser"));

        if (LOG.isDebugEnabled()) {

          debugLog.put("session.getAttribute(authUser)", remoteUser);

        }

      }

     

      remoteUser = StringUtils.trim(remoteUser);

     

      httpServletRequest.getSession().setAttribute("grouperLoginId", remoteUser);

 

      if (LOG.isDebugEnabled()) {

        debugLog.put("remoteUser overall", remoteUser);

      }

 

      return remoteUser;

    } finally {

      if (LOG.isDebugEnabled()) {

        LOG.debug(GrouperUtil.mapToString(debugLog));

      }

    }

  }

 

 

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Thursday, April 04, 2013 11:51 AM
To:
Subject: [grouper-users] Still trying to CASify Grouper

 

I found this thread from a while back:

https://lists.internet2.edu/sympa/arc/grouper-users/2011-09/msg00022.html

 

Where Chris said: “Grouper just gets the ID from REMOTE_USER, so it doesn’t know which source its in, so it checks them all.  It cant exist in multiple.  Either you need to determine which other source besides g:isa (grouper internal source adapter) GrouperSystem is in, and remove it, or maybe you could use a real user account, add them to the wheel group, and that is equivalent to using GrouperSystem…  generally you only need to login with GrouperSystem to bootstrap, but not for steadystate operation.  Ok? “

 

Based on the above statement I would expect to see a search request going to my LDAP server since I have an LDAP source. I also have a jdbc source which is pointing to the HSQL DB. Watching its log I don’t see any query either.

 

My best guess is that Grouper isn’t finding a REMOTE_USER, but I have my CAS filters set to provide that. Is there a way to get Grouper to log what it thinks the remote user is?

 

Looking at the GrouperUiFilter.java remoteUser method there doesn’t seem to be any debug logging. Any ideas on how I can further trouble shoot this?

 

Thanks,

 

Bryan