grouper-users - [grouper-users] RE: Authentication and authorization to grouper WS
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: "Wessel, Keith" <>, "" <>
- Subject: [grouper-users] RE: Authentication and authorization to grouper WS
- Date: Thu, 30 Mar 2017 18:10:52 +0000
- Accept-language: en-US
- Authentication-results: illinois.edu; dkim=none (message not signed) header.d=none;illinois.edu; dmarc=none action=none header.from=isc.upenn.edu;
- Ironport-phdr: 9a23:yBFUIxxRetDwABrXCy+O+j09IxM/srCxBDY+r6Qd0uoXLfad9pjvdHbS+e9qxAeQG96KtrQU2qGP6fiocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDqwbalxIRiyogndq9cajZd/Iast1xXFpWdFdf5Lzm1yP1KTmBj85sa0/JF99ilbpuws+c1dX6jkZqo0VbNXAigoPGAz/83rqALMTRCT6XsGU2UZiQRHDg7Y5xznRJjxsy/6tu1g2CmGOMD9UL45VSi+46ptVRTlkzkMOSIn/27Li8xwlKNbrwynpxxj2I7ffYWZOONjcq/BYd8WQGxMVdtTWSNcGIOxd4sBAfQcM+ZEoYfzpFUOohm/BQawC+zi0SVHimPq0aAgz+gtDR/K0Qo9FNwOqnTUq9D1Ob8cXe63zKjJzCvMb+lO1Tzg9oXIcgohofCXXb5+bMHczkwvGB/FjlSQqI3qISmV2/8Ms2iA8+VsT/+vi3Y5pAF3pDij3NkjhZTUho8MzF3P6Ct3wIEwJdKiSU57Z8apEJRKtyGdKot2Wt0tQ3tytCc00b0Lv4OwcisSyJk/2RLQceCLf5WN7x7+SeqdPDJ1hHxqdb6jmxq/9EqtxfPzW8Wo1VtHqzRJnsXRunwVyhDe5NSLRuF580u8wzqDyR3f5+VeLUwpl6fWKpgsyaMqmJUJq0TMBCr2lV32jKCIckUk/fCl5fz7b7vhupOQKpZ4hBzmPKgzg8C/Bv83PRYUU2ic5OS8yKbs/UrkQLVMk/I6iLHZsIrdJcQHuKG2HxNV0ock6xa5FTum18kYnWUDLFJCfxKHjJLlNE3JIPD9Ffu/glKsnyl3x/3eILHuGInBImXGnbv8YLpx9ktRyAQ8wNxD+55ZD7MML+z8V0PtsdHVCwE1PxCpz+r/DdVyzIIeWWaBAq+DN6PStEeF5uczLOmMZI4UuSjyK+I+6v7vln82hUURfbSx3ZQJbnC4GO5qLFuEbnrxmtsBC3sFvhIiTOz2j12PSTFTZ2y1X6Ih/jE0FpimAZ7eRoC2nrOBxjy7E4ZSZmBHEVCMDWzoe5ueV/cNbiKSPtFukiYCVbe/V48tywuiuxHnxLp6faLo/XhSip/4z9Vxo6XwmBAu9XY8W8eC3nqWQmVcn2cMRjkx3bs5rEBgnBPLm6dihOFAGMYW+uhESBwSNJjAwvZ8BsyoHA/NY53BHFm8Rci+DCt0U8k82cQmYkBhFs+kgwyZmSemHulGuaaMAcl+0rPO0mK1b+190XfdnuF1ilImU9lCL0WnnaU56hDeAYiPnkmEwfX5PZ8A1TLAoT/QhVGFu1tVBUspCf3I
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Ok, sorry, its not a webapp, it’s a web service. So the client needs to send the authentication with the request, not wait to be prompted. So its difficult to use with a browser. But you could try it with
the grouperClient, which is a java command line program… Thanks Chris From: [mailto:]
On Behalf Of Wessel, Keith Sorry, Chris, guess that’s why one should read the file called README.txt. I see that now. However, after removing it, I don’t get prompted for authentication. So, next question: does setting
ws.security.non-rampart.authentication.class to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication tell the web app to prompt for http basic auth when needed? Or do I now need to configure Apache to protect /services and /servicesRestT
using something like mod_krb? Happy to do the latter if the web app won’t do that part, and I assume that’s what I need to do. I’m just unclear, in that case, what the purpose is of the properties that I set in grouper-ws.properties. Since it’s possible to
set Kerberos realms and KDC settings in there, I assume it can do something with it. Keith . Keith From: Hyzer, Chris []
Yes, remove that role and auth constraints. The web.xml should do not authn/authz if kerb will do it.
J Thanks Chris From: []
On Behalf Of Wessel, Keith Hi, all, I’ve been trying to follow the instructions for setting up my Grouper webservice to do Kerberos authentication against our AD. My goal is to prompt the user for http basic auth against AD Kerberos, and once logged in, only authorize users
in the web service users group within Grouper. I’d like access to the web service to be granted/revoked within Grouper alone rather than having to maintain users in my Tomcat config. I’m trying to avoid container-based authentication but am not opposed to
it if that’s the way to go. I’m going for minimal changes to get this working. It looks like there are several ways to accomplish it, though. At present, I’ve set ws.security.non-rampart.authentication.class in grouper-ws.properties to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication. I’ve tried both setting Kerberos.krb5.conf.location to point to
my krb5.conf and, when that failed, I tried setting Kerberos.realm and Kerberos.kdc.address. I get prompted for authentication when I go to /grouper-ws/services/GrouperService, but it always rejects my authentication. I haven’t removed anything from the shipped web.xml and see some auth constraints in there that point to Tomcat
roles. Do I need to remove that role? Or do I need to somehow use that role? Do I need to change something else? Thanks, Keith |
- [grouper-users] Authentication and authorization to grouper WS, Wessel, Keith, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Hyzer, Chris, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Wessel, Keith, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Redman, Chad Eric, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Hyzer, Chris, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Wessel, Keith, 03/30/2017
- [grouper-users] RE: Authentication and authorization to grouper WS, Hyzer, Chris, 03/30/2017
Archive powered by MHonArc 2.6.19.