grouper-users - [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "Waldbieser, Carl" <>
- Cc: "" <>
- Subject: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
- Date: Mon, 6 Oct 2014 20:27:25 +0000
- Accept-language: en-US
Add this patch and try it out:
https://bugs.internet2.edu/jira/browse/GRP-1056
https://github.com/Internet2/grouper/commit/9d6d97c85f520fbf3fe739b2531ad6e598ff54d5
Configure this in the grouper-ui.properties:
#############################
## Security settings
#############################
# if you want to have the username in http header, put the head name here,
e.g. REMOTE_USER
grouper.ui.authentication.http.header =
Thanks,
Chris
-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: Monday, October 06, 2014 3:56 PM
To: Chris Hyzer
Cc:
Subject: Re: Authenticating Proxy In Front of Grouper UI
Chris,
I would like to put an HTTP reverse proxy in front of the Grouper UI. I was
just not sure if that was possible, because all the searchs I have done
online seem to say something like "REMOTE_USER is set by AJP from Apache".
From the reverse proxy, I can put the user name in a header, add it to the
query string, whatever. I just am not sure what to do on the Tomcat side to
get Tomcat to accept the username.
Thanks,
Carl
----- Original Message -----
From: "Chris Hyzer"
<>
To: "Carl Waldbieser"
<>,
Sent: Monday, October 6, 2014 3:45:42 PM
Subject: RE: Authenticating Proxy In Front of Grouper UI
You say web proxy but also AJP... is it an HTTP reverse proxy or is it just
apache does authn and does AJP to the tomcat? We do the latter, works fine,
somehow the username is put in a request attribute (named REMOTE_USER). If
you only have the ability to put the username in an HTTP header you could
write a simple servlet filter (loaded first) that takes that puts it in
REMOTE_USER
Thanks,
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Waldbieser, Carl
Sent: Monday, October 06, 2014 3:14 PM
To:
Subject: [grouper-users] Authenticating Proxy In Front of Grouper UI
Question #1:
If an authenticating web proxy is placed in front of the Tomcat service that
hosts the Grouper UI, does the remote username have to be transmitted to
Tomcat using an AJP connector? Can it be communicated over HTTP (e.g. in a
header)? Would that be something I could test (e.g. using curl) on the back
end?
Question #2:
What config file(s) for Grouper and/or Tomcat need to be edited to tell the
Grouper UI that the user has already been authenticated?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- [grouper-users] Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Michael R. Gettes, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- RE: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/07/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
Archive powered by MHonArc 2.6.16.