Grouper Users - Open Discussion List

["Wessel, Keith" <>]

Thanks, Chris and Chad. Between the tidbits from the two of you, we now have things working as needed. Now, on to adventures with the web service!

 

Keith

 

 

From: Hyzer, Chris [mailto:]
Sent: Thursday, March 30, 2017 1:11 PM
To: Wessel, Keith <>;
Subject: RE: Authentication and authorization to grouper WS

 

Ok, sorry, its not a webapp, it’s a web service.  So the client needs to send the authentication with the request, not wait to be prompted.  So its difficult to use with a browser.  But you could try it with the grouperClient, which is a java command line program…

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:39 AM
To:
Subject: [grouper-users] RE: Authentication and authorization to grouper WS

 

Sorry, Chris, guess that’s why one should read the file called README.txt. I see that now.

 

However, after removing it, I don’t get prompted for authentication. So, next question: does setting ws.security.non-rampart.authentication.class to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication tell the web app to prompt for http basic auth when needed? Or do I now need to configure Apache to protect /services and /servicesRestT using something like mod_krb? Happy to do the latter if the web app won’t do that part, and I assume that’s what I need to do. I’m just unclear, in that case, what the purpose is of the properties that I set in grouper-ws.properties. Since it’s possible to set Kerberos realms and KDC settings in there, I assume it can do something with it.

 

Keith

.

 

Keith

 

From: Hyzer, Chris []
Sent: Thursday, March 30, 2017 10:15 AM
To: Wessel, Keith <>;
Subject: RE: Authentication and authorization to grouper WS

 

Yes, remove that role and auth constraints.  The web.xml should do not authn/authz if kerb will do it.  J

 

Thanks

Chris

 

From: [] On Behalf Of Wessel, Keith
Sent: Thursday, March 30, 2017 11:12 AM
To:
Subject: [grouper-users] Authentication and authorization to grouper WS

 

Hi, all,

 

I’ve been trying to follow the instructions for setting up my Grouper webservice to do Kerberos authentication against our AD. My goal is to prompt the user for http basic auth against AD Kerberos, and once logged in, only authorize users in the web service users group within Grouper. I’d like access to the web service to be granted/revoked within Grouper alone rather than having to maintain users in my Tomcat config. I’m trying to avoid container-based authentication but am not opposed to it if that’s the way to go. I’m going for minimal changes to get this working. It looks like there are several ways to accomplish it, though.

 

At present, I’ve set ws.security.non-rampart.authentication.class in grouper-ws.properties to edu.internet2.middleware.grouper.ws. security.WsGrouperKerberosAuthentication. I’ve tried both setting Kerberos.krb5.conf.location to point to my krb5.conf and, when that failed, I tried setting Kerberos.realm and Kerberos.kdc.address.

 

I get prompted for authentication when I go to /grouper-ws/services/GrouperService, but it always rejects my authentication. I haven’t removed anything from the shipped web.xml and see some auth constraints in there that point to Tomcat roles. Do I need to remove that role? Or do I need to somehow use that role? Do I need to change something else?

 

Thanks,

Keith