Grouper Users - Open Discussion List

["Singley, Norman" <>]

Thanks guys. 

 

Well, I started to roll back all the changes I made to start fresh, and after replacing the main  web.xml file with the original one that came installed, it seems to be working like a charm.  At the end of the day, I do believe my config now matches yours, Travis. 

 

Thanks for the help.

Until next time.

 

 

Norman Singley

Directory Services

406 243 6799

 

 

 

 

 

From: Travis Schmidt [mailto:]
Sent: Wednesday, November 02, 2016 2:34 PM
To: Singley, Norman; Hyzer, Chris; Mailing List
Subject: Re: [grouper-users] RE: Grouper CAS -Shib authentication

 

I only needed to add the CAS jars and change the context in server.xml to this:

 

        <Context docBase="/ucd/opt/grouper-ui/build/grouper" path="/grouper"

                  reloadable="false"

                  mapperContextRootRedirectEnabled="true"

                  mapperDirectoryRedirectEnabled="true">

          <Realm

             className="org.jasig.cas.client.tomcat.v7.PropertiesCasRealm"

             propertiesFilePath="/etc/tomcat/grouper-users.properties"

          />

          <Valve

            className="org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator"

            encoding="UTF-8"

            casServerLoginUrl="https://ssodev.ucdavis.edu/cas/login"

            casServerUrlPrefix="https://ssodev.ucdavis.edu/cas/"

            serverName="grouperdev.ucdavis.edu"

          />

 

          <!-- Single sign-out support -->

          <Valve

            className="org.jasig.cas.client.tomcat.v7.SingleSignOutValve"

            artifactParameterName="SAMLart"

          />

 

       </Context>

 

We restrict who can access by the grouper-users.properties that has has format 

 

LOGIN_ID=grouper_user

 

I didn't change anything else in the grouper properties or configuration, but did need to make sure that the user logging in was able able to be searched by a source that was configured in sources.xml

 

Travis

 

 

On Wed, Nov 2, 2016 at 1:12 PM Singley, Norman <> wrote:

Hi Chris 

 

Thanks, yes we did add the cas jars to the tomcat library. 

 

I think we need some kind of security restraint in web.xml for cas, but I’m not sure what.  When some entries are there, it will go out to CAS to authenticate, but if I strip them all, then I never see CAS and I get the not-authenticated error. 

 

 

Norman Singley

Directory Services

406 243 6799

 

 

 

 

 

From: Hyzer, Chris [mailto:]
Sent: Wednesday, November 02, 2016 1:02 PM
To: Singley, Norman; Mailing List
Subject: RE: Grouper CAS -Shib authentication

 

I assume you added the cas jars to the tomcat library dir?

 

Does someone know if you need security constraints in web.xml for cas?

 

Maybe you could ask this on a CAS mailing list if someone here cannot help?

 

Thanks

Chris

 

From: [] On Behalf Of Singley, Norman
Sent: Wednesday, November 02, 2016 2:37 PM
To:
Subject: [grouper-users] Grouper CAS -Shib authentication

 

Hi folks.

 

I’m working on this CAS authentication piece for grouper 2.3 again, and I am still stuck.  Here’s the current status. 

 

I removed the security constraints from web.xml files:

 

/grouper/grouper.ws-2.3.0/grouper-ws/webapp/WEB-INF/web.xml

/grouper/grouper.ui-2.3.0/dist/grouper/WEB-INF/web.xml

 

 

 

Now when I hit the url, I don’t seem to get redirected to CAS/Shib.  I don’t get the tomcat 403 error, but the application errors:

 

 

 

 

Anything else I can provide to help troubleshoot?  Again, thanks for all the help.

 

 

Norman Singley

Directory Services

406 243 6799