Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Authenticating Proxy In Front of Grouper UI

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Authenticating Proxy In Front of Grouper UI


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "Waldbieser, Carl" <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
  • Date: Mon, 6 Oct 2014 20:27:25 +0000
  • Accept-language: en-US

Add this patch and try it out:

https://bugs.internet2.edu/jira/browse/GRP-1056

https://github.com/Internet2/grouper/commit/9d6d97c85f520fbf3fe739b2531ad6e598ff54d5

Configure this in the grouper-ui.properties:

#############################
## Security settings
#############################

# if you want to have the username in http header, put the head name here,
e.g. REMOTE_USER
grouper.ui.authentication.http.header =





Thanks,
Chris


-----Original Message-----
From: Waldbieser, Carl
[mailto:]

Sent: Monday, October 06, 2014 3:56 PM
To: Chris Hyzer
Cc:

Subject: Re: Authenticating Proxy In Front of Grouper UI

Chris,

I would like to put an HTTP reverse proxy in front of the Grouper UI. I was
just not sure if that was possible, because all the searchs I have done
online seem to say something like "REMOTE_USER is set by AJP from Apache".

From the reverse proxy, I can put the user name in a header, add it to the
query string, whatever. I just am not sure what to do on the Tomcat side to
get Tomcat to accept the username.

Thanks,
Carl

----- Original Message -----
From: "Chris Hyzer"
<>
To: "Carl Waldbieser"
<>,


Sent: Monday, October 6, 2014 3:45:42 PM
Subject: RE: Authenticating Proxy In Front of Grouper UI

You say web proxy but also AJP... is it an HTTP reverse proxy or is it just
apache does authn and does AJP to the tomcat? We do the latter, works fine,
somehow the username is put in a request attribute (named REMOTE_USER). If
you only have the ability to put the username in an HTTP header you could
write a simple servlet filter (loaded first) that takes that puts it in
REMOTE_USER

Thanks,
Chris


-----Original Message-----
From:


[mailto:]
On Behalf Of Waldbieser, Carl
Sent: Monday, October 06, 2014 3:14 PM
To:

Subject: [grouper-users] Authenticating Proxy In Front of Grouper UI


Question #1:
If an authenticating web proxy is placed in front of the Tomcat service that
hosts the Grouper UI, does the remote username have to be transmitted to
Tomcat using an AJP connector? Can it be communicated over HTTP (e.g. in a
header)? Would that be something I could test (e.g. using curl) on the back
end?


Question #2:
What config file(s) for Grouper and/or Tomcat need to be edited to tell the
Grouper UI that the user has already been authenticated?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College



Archive powered by MHonArc 2.6.16.

Top of Page