grouper-users - [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "Waldbieser, Carl" <>
- Cc: "" <>
- Subject: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
- Date: Mon, 6 Oct 2014 21:07:04 +0000
- Accept-language: en-US
Either that or just the resulting web.xml... take out this part:
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--Inserting tag from base file. Merge file was
file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.core-filters.xml-->
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperUi/appHtml/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--Inserting tag from base file. Merge file was
file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.core-filters.xml-->
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperExternal/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--Inserting tag from base file. Merge file was
file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.core-filters.xml-->
<security-constraint>
<web-resource-collection>
<web-resource-name>UI</web-resource-name>
<url-pattern>/grouperExternal/appHtml/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--Inserting tag from base file. Merge file was
file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.core-filters.xml-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Tomcat login</web-resource-name>
<url-pattern>/login.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Grouper Application</realm-name>
</login-config>
<!--Processing security-role-->
<!--Inserting tag from base file. Merge file was
file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.core-filters.xml-->
<security-role>
<description>
The role that is required to log in to the Grouper UI
</description>
<role-name>*</role-name>
</security-role>
-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: Monday, October 06, 2014 4:55 PM
To: Chris Hyzer
Cc:
Subject: Re: Authenticating Proxy In Front of Grouper UI
Chris,
It looks like it ought to work, but Tomcat is apparently still requesting
BASIC auth.
I am getting 403 errors, so my Grouper still thinks my access is denied even
though I am sending the REMOTE_USER header.
Do I need to edit something in the 'webapp/WEB-INF/web.core.xml'?
Thanks,
Carl
----- Original Message -----
From: "Chris Hyzer"
<>
To: "Carl Waldbieser"
<>
Cc:
Sent: Monday, October 6, 2014 4:27:25 PM
Subject: RE: Authenticating Proxy In Front of Grouper UI
Add this patch and try it out:
https://bugs.internet2.edu/jira/browse/GRP-1056
https://github.com/Internet2/grouper/commit/9d6d97c85f520fbf3fe739b2531ad6e598ff54d5
Configure this in the grouper-ui.properties:
#############################
## Security settings
#############################
# if you want to have the username in http header, put the head name here,
e.g. REMOTE_USER
grouper.ui.authentication.http.header =
Thanks,
Chris
-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: Monday, October 06, 2014 3:56 PM
To: Chris Hyzer
Cc:
Subject: Re: Authenticating Proxy In Front of Grouper UI
Chris,
I would like to put an HTTP reverse proxy in front of the Grouper UI. I was
just not sure if that was possible, because all the searchs I have done
online seem to say something like "REMOTE_USER is set by AJP from Apache".
From the reverse proxy, I can put the user name in a header, add it to the
query string, whatever. I just am not sure what to do on the Tomcat side to
get Tomcat to accept the username.
Thanks,
Carl
----- Original Message -----
From: "Chris Hyzer"
<>
To: "Carl Waldbieser"
<>,
Sent: Monday, October 6, 2014 3:45:42 PM
Subject: RE: Authenticating Proxy In Front of Grouper UI
You say web proxy but also AJP... is it an HTTP reverse proxy or is it just
apache does authn and does AJP to the tomcat? We do the latter, works fine,
somehow the username is put in a request attribute (named REMOTE_USER). If
you only have the ability to put the username in an HTTP header you could
write a simple servlet filter (loaded first) that takes that puts it in
REMOTE_USER
Thanks,
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Waldbieser, Carl
Sent: Monday, October 06, 2014 3:14 PM
To:
Subject: [grouper-users] Authenticating Proxy In Front of Grouper UI
Question #1:
If an authenticating web proxy is placed in front of the Tomcat service that
hosts the Grouper UI, does the remote username have to be transmitted to
Tomcat using an AJP connector? Can it be communicated over HTTP (e.g. in a
header)? Would that be something I could test (e.g. using curl) on the back
end?
Question #2:
What config file(s) for Grouper and/or Tomcat need to be edited to tell the
Grouper UI that the user has already been authenticated?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- [grouper-users] Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Michael R. Gettes, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- RE: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/07/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
Archive powered by MHonArc 2.6.16.