Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Authentication and authorization to grouper WS

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Authentication and authorization to grouper WS


Chronological Thread 
  • From: "Wessel, Keith" <>
  • To: "" <>
  • Subject: [grouper-users] RE: Authentication and authorization to grouper WS
  • Date: Thu, 30 Mar 2017 15:39:10 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:yzJf3hYiojxMe9kmb2dXW3v/LSx+4OfEezUN459isYplN5qZr8W/bnLW6fgltlLVR4KTs6sC0LuL9fCxEj1Yqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjSwbLdyIRmsrgjcssYajI9+Jq0s1hbHv3xEdvhMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTDQhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlSEKPCM7/m7KkMx9lKJVrgy8qRxjzYDaY4+VO/h/fqzBctwXXnBOUtpNWyFbHo+wc5UDAuwcNuhYtYn9oF4OoAOwCQasGuzv0SRIiWHy3aEizu8vFB/J3A08H9IOvnjfsdL4NKQcUO+r16nI1ivMb/dN1Df87IjIdhEhofeLXbJxasrd01cgGB7YjliJr4HuIj2b1uMIs2eB7upgU/qii2E9qwF2vziv3tkjipPTioMb0VDJ8zhyzoUtJdCgVUJ2ZcCoHIFNuyyYLYd7Qd0uT3tqtSom0rEKpJq2cDYQxJg6xRPTceKLfoaS7h79SeqcIy90hHx7d7+8mxq/9E2tx+zhWcS1y1lHqzdJnsfWuX0D0hHf98iKReZj8Uqk2DuDyR3c5fpCLEspj6TUMYQhzaQ1lpcLsUTMACv2mELuga+ObkUk4fSk5ur9brr6p5+cK5F7ihrkPqQvnsy/BeU4Mg4JX2ia4uSwzqPs8lDkQLlSj/02lLfWsIzCKMgGoqO1HRVZ3psh5hqlDDqqzs4UkHsbIF5dfRKIlYnpO1XAIPDiCve/hkyhkDRlxv/YJb3hGYvCLnzYnbfgebZ9709cyAw0zdBe/JJYEK8OL+/uWkPprtzXEgc5MxCow+bgENh92ZkeWWWSAq+BLqzSq0aE5v80I+aSfo8Voy3wK/wk5/71kX85gkERcbOo3ZsRdHC3AO5mI0OHbnrwnNsNC3kFsRcjTL+itFrXGzFJYGuqUrh5+yo2EpmODIHfS5qrjaDbmiq3A9ceMm9cDU2UHG2tap6JQewkaSSOL9VnnyBeE7WtVtly+wupsVqw9Ld8NefQvmU7uJP/1JI9s+7MmAop+DhcDsCZ0meKTnoyk28VEWxllJtjqFBwnw/QmZNzhOZVQIRe

Sorry, Chris, guess that’s why one should read the file called README.txt. I see that now.

 

However, after removing it, I don’t get prompted for authentication. So, next question: does setting ws.security.non-rampart.authentication.class to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication tell the web app to prompt for http basic auth when needed? Or do I now need to configure Apache to protect /services and /servicesRestT using something like mod_krb? Happy to do the latter if the web app won’t do that part, and I assume that’s what I need to do. I’m just unclear, in that case, what the purpose is of the properties that I set in grouper-ws.properties. Since it’s possible to set Kerberos realms and KDC settings in there, I assume it can do something with it.

 

Keith

.

 

Keith

 

From: Hyzer, Chris [mailto:]
Sent: Thursday, March 30, 2017 10:15 AM
To: Wessel, Keith <>;
Subject: RE: Authentication and authorization to grouper WS

 

Yes, remove that role and auth constraints.  The web.xml should do not authn/authz if kerb will do it.  J

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:12 AM
To:
Subject: [grouper-users] Authentication and authorization to grouper WS

 

Hi, all,

 

I’ve been trying to follow the instructions for setting up my Grouper webservice to do Kerberos authentication against our AD. My goal is to prompt the user for http basic auth against AD Kerberos, and once logged in, only authorize users in the web service users group within Grouper. I’d like access to the web service to be granted/revoked within Grouper alone rather than having to maintain users in my Tomcat config. I’m trying to avoid container-based authentication but am not opposed to it if that’s the way to go. I’m going for minimal changes to get this working. It looks like there are several ways to accomplish it, though.

 

At present, I’ve set ws.security.non-rampart.authentication.class in grouper-ws.properties to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication. I’ve tried both setting Kerberos.krb5.conf.location to point to my krb5.conf and, when that failed, I tried setting Kerberos.realm and Kerberos.kdc.address.

 

I get prompted for authentication when I go to /grouper-ws/services/GrouperService, but it always rejects my authentication. I haven’t removed anything from the shipped web.xml and see some auth constraints in there that point to Tomcat roles. Do I need to remove that role? Or do I need to somehow use that role? Do I need to change something else?

 

Thanks,

Keith

 




Archive powered by MHonArc 2.6.19.

Top of Page