Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper UI authentication with CAS

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper UI authentication with CAS

Chronological Thread 
  • From: "Waldbieser, Carl" <>
  • To: Robert Bradley <>
  • Cc:
  • Subject: Re: [grouper-users] Grouper UI authentication with CAS
  • Date: Fri, 21 Aug 2015 12:26:46 -0400 (EDT)

Yes, I have internal documentation on how we modified the WAR file:

= Grouper WAR Mods =
The Grouper UI war file contains :file:`WEB-INF/web.xml` that has several
and `login-config` stanzas. These can be removed by exploding the WAR file,
:file:`WEB-INF/web.xml`, and creating a new WAR file::

$ mkdir grouper && cd grouper
$ vim WEB-INF/web.xml
$ jar -cvf $GROUPER_WAR_FILE *
$ cd .. && rm -Rf grouper/

These commands perform the following actions:

* Create a folder (named `grouper`) to store the exploded archive contents.
* Change the current folder to this temporary folder.
* Extract the WAR file contents to the folder.
* Invoke an editor on the :file:`web.xml` file. You need to remove the
stanzas with the
editor, then save and quit.
* Remove the original WAR file.
* Create a new WAR file from the exploded archive contents.
* Switch out of the temporary folder and remove it.

If you need to use an HTTP proxy instead of AJP to connect to Grouper, you
must tell Grouper to use an HTTP header:

= REMOTE_USER Header =
When using AJP, REMOTE_USER is set as an environment variable. To use a
reverse proxy without AJP, Grouper needs to be told to extract the user name
from a special HTTP header. In $GROUPER_UI/conf/, set
the grouper.ui.authentication.http.header property to REMOTE_USER.


----- Original Message -----
From: "Robert Bradley"

Sent: Friday, August 21, 2015 11:20:13 AM
Subject: Re: [grouper-users] Grouper UI authentication with CAS

On 21/08/15 14:07, Waldbieser, Carl wrote:
> Baron,
> We just ended up placing an authenticating CAS proxy in front of the
> Grouper UI. I had success with both mod_auth_cas [1] and txcasproxy
> [2] in development. We are currently using mod_auth_cas in
> production.
> Basically, you can use any authenticating proxy that either sets
> "REMOTE_USER" as an environment variable in the Grouper process or
> sets "REMOTE_USER" as an HTTP header. Grouper must explicitly be
> configured to accept the authenticated user as a header. The name is
> configurable, too.

I think if you go down that route, you need the web.xml modifications
but otherwise I would suggest that method too. We are using Apache and
mod_webauth in a similar setup and it works well.

Dr Robert Bradley
Identity and Access Management, IT Services, University of Oxford

Archive powered by MHonArc 2.6.16.

Top of Page