grouper-users - RE: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Bryan Wooten <>, "Waldbieser, Carl" <>
- Cc: "" <>
- Subject: RE: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
- Date: Tue, 7 Oct 2014 00:02:33 +0000
- Accept-language: en-US
You could have SSO (e.g. shib or cosign or some authn mod) at the front web
server that reverse proxies to another web container. I think AJP is better
to use than HTTP reserve proxy if possible...
Thanks,
Chris
-----Original Message-----
From: Bryan Wooten
[mailto:]
Sent: Monday, October 06, 2014 7:05 PM
To: Chris Hyzer; Waldbieser, Carl
Cc:
Subject: Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI
Just my 2 cents, I am late to the conversation.
Why not just protect Grouper with Shib or CAS?
I think that takes the reverse proxy out of the equation.
-Bryan
On 10/6/14, 3:07 PM, "Chris Hyzer"
<>
wrote:
>Either that or just the resulting web.xml... take out this part:
>
><security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
><!--Inserting tag from base file. Merge file was
>file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.cor
>e-filters.xml-->
><security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperUi/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
><!--Inserting tag from base file. Merge file was
>file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.cor
>e-filters.xml-->
><security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
><!--Inserting tag from base file. Merge file was
>file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.cor
>e-filters.xml-->
><security-constraint>
> <web-resource-collection>
> <web-resource-name>UI</web-resource-name>
> <url-pattern>/grouperExternal/appHtml/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
><!--Inserting tag from base file. Merge file was
>file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.cor
>e-filters.xml-->
><security-constraint>
> <web-resource-collection>
> <web-resource-name>Tomcat login</web-resource-name>
> <url-pattern>/login.do</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- NOTE: This role is not present in the default users file -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
><login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Grouper Application</realm-name>
> </login-config>
><!--Processing security-role-->
><!--Inserting tag from base file. Merge file was
>file:/C:/Users/mchyzer/Documents/GitHub/grouper/grouper-ui/temp/99.web.cor
>e-filters.xml-->
><security-role>
> <description>
> The role that is required to log in to the Grouper UI
> </description>
> <role-name>*</role-name>
> </security-role>
>
>-----Original Message-----
>From: Waldbieser, Carl
>[mailto:]
>Sent: Monday, October 06, 2014 4:55 PM
>To: Chris Hyzer
>Cc:
>
>Subject: Re: Authenticating Proxy In Front of Grouper UI
>
>Chris,
>
>It looks like it ought to work, but Tomcat is apparently still requesting
>BASIC auth.
>I am getting 403 errors, so my Grouper still thinks my access is denied
>even though I am sending the REMOTE_USER header.
>
>Do I need to edit something in the 'webapp/WEB-INF/web.core.xml'?
>
>Thanks,
>Carl
>
>----- Original Message -----
>From: "Chris Hyzer"
><>
>To: "Carl Waldbieser"
><>
>Cc:
>
>Sent: Monday, October 6, 2014 4:27:25 PM
>Subject: RE: Authenticating Proxy In Front of Grouper UI
>
>Add this patch and try it out:
>
>https://bugs.internet2.edu/jira/browse/GRP-1056
>
>https://github.com/Internet2/grouper/commit/9d6d97c85f520fbf3fe739b2531ad6
>e598ff54d5
>
>Configure this in the grouper-ui.properties:
>
>#############################
>## Security settings
>#############################
>
># if you want to have the username in http header, put the head name
>here, e.g. REMOTE_USER
>grouper.ui.authentication.http.header =
>
>
>
>
>
>Thanks,
>Chris
>
>
>-----Original Message-----
>From: Waldbieser, Carl
>[mailto:]
>Sent: Monday, October 06, 2014 3:56 PM
>To: Chris Hyzer
>Cc:
>
>Subject: Re: Authenticating Proxy In Front of Grouper UI
>
>Chris,
>
>I would like to put an HTTP reverse proxy in front of the Grouper UI. I
>was just not sure if that was possible, because all the searchs I have
>done online seem to say something like "REMOTE_USER is set by AJP from
>Apache".
>
>From the reverse proxy, I can put the user name in a header, add it to
>the query string, whatever. I just am not sure what to do on the Tomcat
>side to get Tomcat to accept the username.
>
>Thanks,
>Carl
>
>----- Original Message -----
>From: "Chris Hyzer"
><>
>To: "Carl Waldbieser"
><>,
>
>Sent: Monday, October 6, 2014 3:45:42 PM
>Subject: RE: Authenticating Proxy In Front of Grouper UI
>
>You say web proxy but also AJP... is it an HTTP reverse proxy or is it
>just apache does authn and does AJP to the tomcat? We do the latter,
>works fine, somehow the username is put in a request attribute (named
>REMOTE_USER). If you only have the ability to put the username in an
>HTTP header you could write a simple servlet filter (loaded first) that
>takes that puts it in REMOTE_USER
>
>Thanks,
>Chris
>
>
>-----Original Message-----
>From:
>
>[mailto:]
> On Behalf Of Waldbieser, Carl
>Sent: Monday, October 06, 2014 3:14 PM
>To:
>
>Subject: [grouper-users] Authenticating Proxy In Front of Grouper UI
>
>
>Question #1:
>If an authenticating web proxy is placed in front of the Tomcat service
>that hosts the Grouper UI, does the remote username have to be
>transmitted to Tomcat using an AJP connector? Can it be communicated
>over HTTP (e.g. in a header)? Would that be something I could test (e.g.
>using curl) on the back end?
>
>
>Question #2:
>What config file(s) for Grouper and/or Tomcat need to be edited to tell
>the Grouper UI that the user has already been authenticated?
>
>Thanks,
>Carl Waldbieser
>ITS Systems Programmer
>Lafayette College
- [grouper-users] Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Michael R. Gettes, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- RE: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/07/2014
- Re: [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Bryan Wooten, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] Re: Authenticating Proxy In Front of Grouper UI, Waldbieser, Carl, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
- [grouper-users] RE: Authenticating Proxy In Front of Grouper UI, Chris Hyzer, 10/06/2014
Archive powered by MHonArc 2.6.16.