Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Authentication and authorization to grouper WS

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Authentication and authorization to grouper WS


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Wessel, Keith" <>, "" <>
  • Subject: [grouper-users] RE: Authentication and authorization to grouper WS
  • Date: Thu, 30 Mar 2017 15:15:09 +0000
  • Accept-language: en-US
  • Authentication-results: illinois.edu; dkim=none (message not signed) header.d=none;illinois.edu; dmarc=none action=none header.from=isc.upenn.edu;
  • Ironport-phdr: 9a23:vQHPrxXzYdlR1DiujVtDflCsOpjV8LGtZVwlr6E/grcLSJyIuqrYZRSGuadThVPEFb/W9+hDw7KP9fuxBCpQsN3R7zgrS99lb1c9k8IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal8IRiyrQjdrMobjI9tJqsyyBbCv2dFdflRyW50P1yYggzy5t23/J5t8iRQv+wu+stdWqjkfKo2UKJVAi0+P286+MPkux/DTRCS5nQHSWUZjgBIAwne4x7kWJr6rzb3ufB82CmeOs32UKw0VDG/5KplVBPklCEKPCMi/WrJlsJ/kr5UoBO5pxx+3YHUZp2VNOFjda/ZZN8WWHZNUtpUWyFHH4iybZYAD/AZMOhYsYfzukcOoxW9CwmiBuzvyyNHiXDt0KIgz+gtDRvL0BA8E94QtnnfsdX7NL0VUeCw1KTEwzfNbvNX2Djj8ojEag0qrO+MXbJqcMrR0kcjHB7Cg1WVtYPlPzOU1+UTvGiB9OdgVPmvhHI9pwFsujig2MEsio/Tio0L11/E6Dx0zYAoLtO2T057ZMSrEJpWtyyCOIt2WMQiQ3xwuCkk0L0Ko5C6fDMMxZ86xBDfc+SKf5aS7R7/SeqcJCp0iG94dL+6iRa//lSsxvH5W8S2zllHoTBKn9zJu3wTyxDe6dCLRuZz80u9wzqC0x3f5vtaLUwpkafXMYMtz7wxm5cVrE/NBDX5mF/sg6+Tbkgk+van6+DgYrj+vpGRK4h6hh3wP6g3h8GwA/o0PhEJX2eA5+uwzrrj/VDlQLpRif02j6/Zv43AKcQDvK65BBNV3Zg/5BajDjem19IYkWMALFJYZBKHi4/pO1bNIPziEfi/hFGsnC9qx/DAILLhHo3AImbZn7v9YLpw7lNQxBcuwd1a6ZJZBa0NLO72V0LzqtPVAQU2Pgmxzur5FNlw1ZsSWWeVDa+YNKPSv0WI5uUqI+SUYY8apDb9Kvgk5vHwl380gl4dfbK10pcNdXC4BuppI0OfYXb2nNgODHoKshIkTOP2kF2CTSJTZ3GqUqIz/DE7D5+mDZ/dSYC3mbCBwTy7EYNMZmBdEV2MFXbod56YW/cXdi6eOM5hkjoYVbe/UY8h0w+htBPkx7Z9MOXb5zAY5trf040/2ODIjhw2sXRXAsWB0yvFG2Jrk3gTSjse3aR7oEp6y0zF3KRl1bgQX9NJ4O5RXx1/KIXR1fdSCtbuVxjHc8vTDluqX5/uVT4rSc8pzsVLfl1wAc6Kjxbf0jCsDqNP0bGHGcpn3Ljb2i27B9dvxmyCnIIhlVg9CIMbMGaml7xy7SDSHIWPjl2UkaDseKgBin2evFyfxHaD6RkLGDV7Vr/ICDVGPhPb
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Yes, remove that role and auth constraints.  The web.xml should do not authn/authz if kerb will do it.  J

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:12 AM
To:
Subject: [grouper-users] Authentication and authorization to grouper WS

 

Hi, all,

 

I’ve been trying to follow the instructions for setting up my Grouper webservice to do Kerberos authentication against our AD. My goal is to prompt the user for http basic auth against AD Kerberos, and once logged in, only authorize users in the web service users group within Grouper. I’d like access to the web service to be granted/revoked within Grouper alone rather than having to maintain users in my Tomcat config. I’m trying to avoid container-based authentication but am not opposed to it if that’s the way to go. I’m going for minimal changes to get this working. It looks like there are several ways to accomplish it, though.

 

At present, I’ve set ws.security.non-rampart.authentication.class in grouper-ws.properties to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication. I’ve tried both setting Kerberos.krb5.conf.location to point to my krb5.conf and, when that failed, I tried setting Kerberos.realm and Kerberos.kdc.address.

 

I get prompted for authentication when I go to /grouper-ws/services/GrouperService, but it always rejects my authentication. I haven’t removed anything from the shipped web.xml and see some auth constraints in there that point to Tomcat roles. Do I need to remove that role? Or do I need to somehow use that role? Do I need to change something else?

 

Thanks,

Keith

 


Archive powered by MHonArc 2.6.19.

Top of Page