Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Authentication and authorization to grouper WS

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Authentication and authorization to grouper WS

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Wessel, Keith" <>, "" <>
  • Subject: [grouper-users] RE: Authentication and authorization to grouper WS
  • Date: Thu, 30 Mar 2017 18:10:52 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
  • Ironport-phdr: 9a23:yBFUIxxRetDwABrXCy+O+j09IxM/srCxBDY+r6Qd0uoXLfad9pjvdHbS+e9qxAeQG96KtrQU2qGP6fiocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDqwbalxIRiyogndq9cajZd/Iast1xXFpWdFdf5Lzm1yP1KTmBj85sa0/JF99ilbpuws+c1dX6jkZqo0VbNXAigoPGAz/83rqALMTRCT6XsGU2UZiQRHDg7Y5xznRJjxsy/6tu1g2CmGOMD9UL45VSi+46ptVRTlkzkMOSIn/27Li8xwlKNbrwynpxxj2I7ffYWZOONjcq/BYd8WQGxMVdtTWSNcGIOxd4sBAfQcM+ZEoYfzpFUOohm/BQawC+zi0SVHimPq0aAgz+gtDR/K0Qo9FNwOqnTUq9D1Ob8cXe63zKjJzCvMb+lO1Tzg9oXIcgohofCXXb5+bMHczkwvGB/FjlSQqI3qISmV2/8Ms2iA8+VsT/+vi3Y5pAF3pDij3NkjhZTUho8MzF3P6Ct3wIEwJdKiSU57Z8apEJRKtyGdKot2Wt0tQ3tytCc00b0Lv4OwcisSyJk/2RLQceCLf5WN7x7+SeqdPDJ1hHxqdb6jmxq/9EqtxfPzW8Wo1VtHqzRJnsXRunwVyhDe5NSLRuF580u8wzqDyR3f5+VeLUwpl6fWKpgsyaMqmJUJq0TMBCr2lV32jKCIckUk/fCl5fz7b7vhupOQKpZ4hBzmPKgzg8C/Bv83PRYUU2ic5OS8yKbs/UrkQLVMk/I6iLHZsIrdJcQHuKG2HxNV0ock6xa5FTum18kYnWUDLFJCfxKHjJLlNE3JIPD9Ffu/glKsnyl3x/3eILHuGInBImXGnbv8YLpx9ktRyAQ8wNxD+55ZD7MML+z8V0PtsdHVCwE1PxCpz+r/DdVyzIIeWWaBAq+DN6PStEeF5uczLOmMZI4UuSjyK+I+6v7vln82hUURfbSx3ZQJbnC4GO5qLFuEbnrxmtsBC3sFvhIiTOz2j12PSTFTZ2y1X6Ih/jE0FpimAZ7eRoC2nrOBxjy7E4ZSZmBHEVCMDWzoe5ueV/cNbiKSPtFukiYCVbe/V48tywuiuxHnxLp6faLo/XhSip/4z9Vxo6XwmBAu9XY8W8eC3nqWQmVcn2cMRjkx3bs5rEBgnBPLm6dihOFAGMYW+uhESBwSNJjAwvZ8BsyoHA/NY53BHFm8Rci+DCt0U8k82cQmYkBhFs+kgwyZmSemHulGuaaMAcl+0rPO0mK1b+190XfdnuF1ilImU9lCL0WnnaU56hDeAYiPnkmEwfX5PZ8A1TLAoT/QhVGFu1tVBUspCf3I
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Ok, sorry, its not a webapp, it’s a web service.  So the client needs to send the authentication with the request, not wait to be prompted.  So its difficult to use with a browser.  But you could try it with the grouperClient, which is a java command line program…





From: [mailto:] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:39 AM
Subject: [grouper-users] RE: Authentication and authorization to grouper WS


Sorry, Chris, guess that’s why one should read the file called README.txt. I see that now.


However, after removing it, I don’t get prompted for authentication. So, next question: does setting to security.WsGrouperKerberosAuthentication tell the web app to prompt for http basic auth when needed? Or do I now need to configure Apache to protect /services and /servicesRestT using something like mod_krb? Happy to do the latter if the web app won’t do that part, and I assume that’s what I need to do. I’m just unclear, in that case, what the purpose is of the properties that I set in Since it’s possible to set Kerberos realms and KDC settings in there, I assume it can do something with it.







From: Hyzer, Chris []
Sent: Thursday, March 30, 2017 10:15 AM
To: Wessel, Keith <>;
Subject: RE: Authentication and authorization to grouper WS


Yes, remove that role and auth constraints.  The web.xml should do not authn/authz if kerb will do it.  J





From: [] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:12 AM
Subject: [grouper-users] Authentication and authorization to grouper WS


Hi, all,


I’ve been trying to follow the instructions for setting up my Grouper webservice to do Kerberos authentication against our AD. My goal is to prompt the user for http basic auth against AD Kerberos, and once logged in, only authorize users in the web service users group within Grouper. I’d like access to the web service to be granted/revoked within Grouper alone rather than having to maintain users in my Tomcat config. I’m trying to avoid container-based authentication but am not opposed to it if that’s the way to go. I’m going for minimal changes to get this working. It looks like there are several ways to accomplish it, though.


At present, I’ve set in to security.WsGrouperKerberosAuthentication. I’ve tried both setting Kerberos.krb5.conf.location to point to my krb5.conf and, when that failed, I tried setting Kerberos.realm and Kerberos.kdc.address.


I get prompted for authentication when I go to /grouper-ws/services/GrouperService, but it always rejects my authentication. I haven’t removed anything from the shipped web.xml and see some auth constraints in there that point to Tomcat roles. Do I need to remove that role? Or do I need to somehow use that role? Do I need to change something else?





Archive powered by MHonArc 2.6.19.

Top of Page