Grouper Users - Open Discussion List

[Shaun Koh <>]

Hi All,

 

For those interested, this was resolved by rebuilding the WAR file that should contain the `grouper.ui.authentication.http.header` field in grouper-ui.properties

 

Steps taken to configure this set-up:

 

1.       Remove security-constraint, login-config, and security-role elements from webapp/WEB-INF/web.core.xml

2. Remove security-constraint elements from webapp/WEB-INF/web.ajax.xml

3.       Add `grouper.ui.authentication.http.header = $REMOTE_USER` to grouper-ui.properties

4.       Add `log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG` to log4j.properties -- optional

5.       Rebuild UI with ant war

6.       Restart Tomcat

 

Grouper Version: 2.3.0

 

Thank You,

Shaun K.                                                                        

 

From: Shilen Patel [mailto:]
Sent: Friday, 3 June 2016 12:13 a.m.
To: Shaun Koh;
Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

Hi Shaun,

 

Are you still having the original issue of not being logged in as the user specified in the header?  If so, do you mind sending me your logs (off list)?

 

Thanks!

 

- Shilen

 

From: Shaun Koh <>
Date: Thursday, June 2, 2016 at 1:35 AM
To: Shilen Patel <>, "" <>
Subject: RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

Hi Shilen,

 

Thanks, you were right that the grouper-ui.properties did not contain the header property in the expanded war.

 

I’ve added that now though I’m getting a different repeat error after rebuilding the war file:

 

2016-06-02 17:29:09,477: [main] DEBUG GrouperClientLog.debug(82) -  - Subsituting EL: '${edu.internet2.middleware.grouper.cfg.GrouperConfig.retrieveConfig().propertyValueStringRequired('grouper.attribute.rootStem')}:userData:grouperUserDataValueDef', and with env vars: elUtils with result: 'etc:attribute:userData:grouperUserDataValueDef'

2016-06-02 17:29:09,477: [main] DEBUG GrouperClientLog.debug(82) -  - Cant find text for variable: 'newline'

2016-06-02 17:29:09,477: [main] DEBUG GrouperClientLog.debug(82) -  - Cant find text for variable: 'newline'

2016-06-02 17:29:09,478: [main] DEBUG GrouperClientLog.debug(82) -  - configObjectPropertyCount: 234

 

Will try to resolve this error though any help would be appreciated.

 

Cheers,

Shaun K.

 

From: Shilen Patel []
Sent: Thursday, 2 June 2016 1:21 p.m.
To: Shaun Koh; Hyzer, Chris;
Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

That log message actually doesn't seem to have what I'd expect if the property was correctly set in grouper-ui.properties.  Can you double check that?   Look in WEB-INF/classes/grouper-ui.properties of your expanded or unexpanded WAR.

 

Thanks!

 

- Shilen

 

From: Shaun Koh <>
Date: Wednesday, June 1, 2016 at 8:51 PM
To: "Hyzer, Chris" <>, Shilen Patel <>, "" <>
Subject: RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

Hi Shilen and Chris,

 

Thanks for your helpful input.

 

I’ve enabled debug logging and seem to see several copies of the following line:

 

2016-06-02 11:45:55,542: [http-8080-1] DEBUG GrouperUiFilter.remoteUser(636) -  - httpServletRequest.getRemoteUser(): null, REMOTE_USER attribute: null, session.getAttribute(authUser): null, remoteUser overall: null

 

I assume from this that Grouper was not able to pick-up the HTTP header set in grouper-ui.properties as it is missing the debug log for it ?

 

Also, I’m not sure if this is related but I have been getting the following error:

 

2016-06-02 12:10:51,979: [http-8080-1] ERROR CsrfGuardLogger.log(47) -  - Referer domain https://$domain_name/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=anonymousSessionNotAllowed does not match request domain: http://$domain_name/grouper/grouperExternal/public/OwaspJavaScriptServlet

 

Thank you,

Shaun K.

 

From: Hyzer, Chris []
Sent: Thursday, 2 June 2016 6:20 a.m.
To: Shilen Patel; Shaun Koh;
Subject: RE: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

I changed some wiki pages with information on how to setup logging to troubleshoot authentication:

 

See debug information in logs, edit log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG

 

Thanks,

Chris

 

From: [] On Behalf Of Shilen Patel
Sent: Wednesday, June 01, 2016 1:32 PM
To: Shaun Koh <>;
Subject: Re: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

I think if you turn debug logging on, it will log some useful information.  It will tell you if it is looking for your header and whether it found a value.  That would at least tell you if the problem has to do with getting the header to grouper or if it's afterwards (e.g. in the sources.xml configuration).  If you wouldn't mind turning debug logging on and sending the results..  Maybe also your proxy configuration.

 

Thanks!

 

- Shilen

 

From: Shaun Koh <>
Date: Wednesday, June 1, 2016 at 4:48 AM
To: "" <>
Subject: [grouper-users] [Grouper UI] - Assistance required authenticating via Shibboleth reverse proxy

 

Hi there,

 

I am trying to protect the Grouper UI with our SSO service (Shib) that reverse proxies HTTP requests to our Grouper instance on a separate host.

 

To date, I haven’t had much success getting this to work with Grouper as the docs available seem to be pointed at AJP based approaches which we do not use at our institute.

 

There were a couple of mailing list entries such as https://lists.internet2.edu/sympa/arc/grouper-users/2014-10/msg00037.html that seem to address this however did not contain a clear solution or confirmation as to what really worked.

 

I am aware that there is a ` grouper.ui.authentication.http.header` attribute you can set in grouper-ui.properties that was added in for this purpose however setting that to a request header passed from SSO did not seem to do anything.

-          i.e. I still get an error on the UI: You have an anonymous session since you are not logged in, but this section requires you to be logged in. Maybe No username found. Your identity provider might not be sending your username to this application. Either you need to use a different identity provider, or ask your IT department to send your username to this application.

 

Also, I can ensure that a record of my institutional id being passed from SSO exists in the `subjectId` column of the `subject` table in the Grouper DB and is retrievable by running SubjectFinder.findById("$subjectId") in the shell.

 

It would be great if someone could provide a solution/set-up that worked for you or perhaps to point out if I am missing some config to set ? (e.g. do I have to edit sources.xml ?)

 

Thank you,

Shaun K.