grouper-users - RE: [grouper-users] upgrading to 2.4
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad" <>
- To: Baron Fujimoto <>, Grouper Users <>, Ben Beecher <>, "Hyzer, Chris" <>
- Subject: RE: [grouper-users] upgrading to 2.4
- Date: Tue, 16 Apr 2019 15:50:19 +0000
I'm hoping we can move away from the custom classes and ant config -- the
Java classes are from 2009 and specific to the older UI that isn't in use.
Ideally it would be a change in web config, and adding an additional library.
I was able to get something working locally. It's using a 4.0 cas server and
3.5 client library, so YMMV. Here is what I did.
1) Downloaded cas-client-core (latest 3.5.1) and put into WEB-INF/lib; source
either from from Maven
(https://search.maven.org/search?q=g:org.jasig.cas.client%20AND%20a:cas-client-core&core=gav)
or from mvnrepository site which has ads
(https://mvnrepository.com/artifact/org.jasig.cas.client/cas-client-core)
2a) Copied webapp index.jsp to cas/index.jsp
2b)* Edited paths in cas/index.jsp, to reference parent directory instead of
the current one
<%@ include file="../WEB-INF/grouperUi2/assetsJsp/commonTaglib.jsp"%>
String
location="../grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain";
3)* Added to WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.unprotected.CASLogin=%servletContext%/cas/*
4) Added to WEB-INF/web.xml, changing parameters as needed. Based on
https://apereo.atlassian.net/wiki/spaces/CASC/pages/103252594/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/cas/*</url-pattern>
</filter-mapping>
5) Start Tomcat, check catalina and localhost logs if any startup errors
6) Go to http://localhost:8080/grouper/cas/index.jsp
~~~~~
*I initially tried to set up a copy of index.jsp as cas.jsp in the top level
of the webapp, so that the paths did not need to be adjusted in the file. It
sometimes worked, but other times it gave an error page. The times it failed
were when there was no existing webapp session, so it appended
";jsessionid=.." after the URL. Somehow that broke the CSRFGuard exception,
even if I put in wildcards that should have matched. If someone understands
the subtlety there, I'd be interested in knowing.
The logout seems to be doing the right thing, and clearing out the session
including the authentication. I haven't tested inactivity timeouts so that is
still unverified.
My institution isn't using CAS, so this was just a proof of concept. If this
works for you with some other adjustments, let us know and we can update our
documentation.
-Chad
-----Original Message-----
From:
[] On Behalf Of Baron Fujimoto
Sent: Tuesday, April 16, 2019 12:04 AM
To: Grouper Users <>
Subject: Re: [grouper-users] upgrading to 2.4
We're about to embark on upgrading to 2.4 from 2.2, and we rely on CAS AuthN.
Hopefully this can be sorted out!
On Tue, Apr 16, 2019 at 03:24:35AM +0000, Redman, Chad wrote:
>The immediate problem may be the build using source code from 2.3 but
>libraries from 2.4. The servlet api library was upgraded from 2.3 to 3.1 (so
>compatible with Tomcat 8), and it includes a few new abstract methods. In
>the grouper 2.4 code, those methods have been implemented, so you wouldn't
>have seen those errors.
>
>But the bigger issue is probably going to be that the CAS contrib code is
>likely out of date. The struts code has been removed, so the web.xml
>settings won't be effective, and some URIs hardcoded in Java files will need
>to be adjusted.
>
>I'm throwing together a quick cas demo server, and doing some quick tests to
>see what kind of shape 2.4 is in.
>
>-Chad
>
>
>From:
>[] On Behalf Of Ben Beecher
>Sent: Monday, April 15, 2019 4:09 PM
>To: Hyzer, Chris <>
>Cc: Mailing List <>
>Subject: Re: [grouper-users] upgrading to 2.4
>
>Hi Chris,
>I upgraded those modules again with the full patch set and it's working now.
>Thanks for your help.
>After upgrading to Grouper 2.4 the CAS authentication is no longer working.
>I can only use Basic Auth to log in to Grouper 2.4. We have been using the
>Yale CAS Client (yale-cas-auth) following these instructions
>https://spaces.at.internet2.edu/display/Grouper/Implementing+CAS+Authentication+for+Grouper
>
>I double checked the updates to these files
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/contrib/yale-cas-auth/build.properties
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/webapp/WEB-INF/struts-config.xml
>/var/grouper/installGrouper2.3/grouper.apiBinary-2.3.0/conf/sources.xml
>
>Everything looks ok there, sources.xml was replaced by subject.properties. I
>am not sure if I need to rebuild the war file as per the instructions. When
>I try to rebuild I get some errors:
>
>$ ant war
>Buildfile: /var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml
>
>
>-compileGrouper:
> [mkdir] Created dir:
> /var/grouper/installGrouper2.3/grouper.ui-2.3.0/temp/jarBin
> [javac] /var/grouper/installGrouper2.3/grouper.ui-2.3.0/build.xml:452:
> warning: 'includeantruntime' was not set, defaulting to
> build.sysclasspath=last; set to false for repeatable builds
> [javac] Compiling 324 source files to
> /var/grouper/installGrouper2.3/grouper.ui-2.3.0/temp/jarBin
> [javac] warning: [options] bootstrap class path not set in conjunction
> with -source 1.5
> [javac] warning: [options] source value 1.5 is obsolete and will be
> removed in a future release
> [javac] warning: [options] target value 1.5 is obsolete and will be
> removed in a future release
> [javac] warning: [options] To suppress warnings about obsolete options,
> use -Xlint:-options.
> [javac]
> /var/grouper/installGrouper2.3/grouper.ui-2.3.0/java/src/edu/internet2/middleware/grouper/j2ee/GenericServletResponseWrapper.java:35:
> error: GenericServletResponseWrapper is not abstract and does not override
> abstract method getHeaderNames() in HttpServletResponse
> [javac] public class GenericServletResponseWrapper extends
> ServletResponseWrapper implements HttpServletResponse {
> [javac] ^
> [javac]
> /var/grouper/installGrouper2.3/grouper.ui-2.3.0/java/src/edu/internet2/middleware/grouper/ui/CaptureServletOutputStream.java:47:
> error: CaptureServletOutputStream is not abstract and does not override
> abstract method setWriteListener(WriteListener) in ServletOutputStream
> [javac] public class CaptureServletOutputStream extends
> ServletOutputStream {
> [javac] ^
> [javac] Note: Some input files use or override a deprecated API.
> [javac] Note: Recompile with -Xlint:deprecation for details.
> [javac] Note: Some input files use unchecked or unsafe operations.
> [javac] Note: Recompile with -Xlint:unchecked for details.
> [javac] 2 errors
> [javac] 4 warnings
>
>
>Any suggestions?
>Ben
>
>On Wed, Apr 3, 2019 at 9:00 AM Hyzer, Chris
><<>> wrote:
>Are you sure you pointed the upgrader to the right spot? I think the WS
>might live somewhere else? look in apache config and see where it is
>linking to
>
>From: Ben Beecher <<>>
>Sent: Tuesday, April 02, 2019 4:05 PM
>To: Hyzer, Chris <<>>
>Cc: <> Mailing
>List <<>>; Ben
>Beecher <<>>
>Subject: Re: [grouper-users] upgrading to 2.4
>
>Hi Chris,
>I was able to get past that error by copying the old patches to
>/var/grouper/installGrouper2.3/tarballs/patches/
>I have another question for you.
>I used the Grouper upgrader to upgrade the api and ui modules. While
>upgrading the ws it reverted all patches and then it got this error:
>
>> Upgrading WS jars
>> Exception in thread "main" java.lang.RuntimeException: Why does jar
>> directory not exist?
>> /var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
>
>I created the last two subdirectories manually (WEB-INF/lib) and then I ran
>the upgrader again. I got a different error this time:
>
>Upgrading WS jars
>Upgraded 0 jar files from:
>/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
> to:
> /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/lib
>
>##################################
>Upgrading WS files
>Upgrading files from:
>/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/
> to:
> /var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/
> ignoring paths: WEB-INF/bin/gsh.sh, WEB-INF/bin/gsh.bat, WEB-INF/lib,
> WEB-INF/bin/gsh, WEB-INF/web.xml, WEB-INF/classes
>Compared 0 files and found 0 adds and 0 updates
>Backing up:
>/var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat
> to:
>/var/grouper/installGrouper2.3/tarballs/bak_WS_2019_03_26_21_06_36_798/WEB-INF/bin/gsh.bat
>Copying new file:
>/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat
> to:
>/var/grouper/installGrouper2.3/grouper.ws-2.3.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat
>Exception in thread "main" java.lang.RuntimeException:
>java.io.FileNotFoundException: Source
>'/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat'
> does not exist
> at
> edu.internet2.middleware.grouperInstaller.util.GrouperInstallerUtils.copyFile(GrouperInstallerUtils.java:10550)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.backupAndCopyFile(GrouperInstaller.java:6168)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.upgradeWs(GrouperInstaller.java:13434)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.access$5800(GrouperInstaller.java:84)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller$AppToUpgrade$4.upgradeApp(GrouperInstaller.java:6900)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.mainUpgradeLogic(GrouperInstaller.java:4720)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.access$600(GrouperInstaller.java:84)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller$GrouperInstallerMainFunction$3.logic(GrouperInstaller.java:1516)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.mainLogic(GrouperInstaller.java:1728)
> at
> edu.internet2.middleware.grouperInstaller.GrouperInstaller.main(GrouperInstaller.java:561)
>Caused by: java.io.FileNotFoundException: Source
>'/var/grouper/installGrouper2.3/tarballs/grouper.ws-2.4.0/grouper-ws/build/dist/grouper-ws/WEB-INF/bin/gsh.bat'
> does not exist
> at
> edu.internet2.middleware.grouperInstaller.util.GrouperInstallerUtils.copyFile(GrouperInstallerUtils.java:10530)
> ... 9 more
>
>
>I see the new version of gsh.bat in the ui directory so perhaps I don't need
>to update the gsh.bat in the ws directory.
>
>$ ls -l
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/dist/grouper/WEB-INF/bin/gsh.bat
>-rwxr-xr-x. 1 idmserv idmserv 4174 Mar 26 20:46
>/var/grouper/installGrouper2.3/grouper.ui-2.3.0/dist/grouper/WEB-INF/bin/gsh.bat
>Ben
>
>On Wed, Mar 20, 2019 at 9:39 AM Hyzer, Chris
><<>> wrote:
>Ben, I think you need to download the 2.4 ALL zip, which you did, but you
>also need the 2.3 ALL zip, can you download that to so the file not found
>goes away and see if it works?
>
>From:
><>
>
><<>>
> On Behalf Of Hyzer, Chris
>Sent: Tuesday, March 19, 2019 11:35 PM
>To: Ben Beecher <<>>;
><> Mailing List
><<>>
>Subject: RE: [grouper-users] upgrading to 2.4
>
>Ugh, maybe copy the dir you are upgrading to an internet machine, upgrade,
>and copy back… sorry, I entered a jira…
>
>Thanks
>Chris
>
>From:
><>
>
><<>>
> On Behalf Of Ben Beecher
>Sent: Tuesday, March 19, 2019 4:00 PM
>To: <> Mailing
>List <<>>
>Subject: [grouper-users] upgrading to 2.4
>
>(1) I am trying to upgrade from version 2.3 to version 2.4. The Grouper
>upgrader wants to upgrade in place (not into a new directory) so do I need
>to rename the directory after the upgrade is complete? The current directory
>name is
>/var/grouper/installGrouper2.3
>
>and I think the new name should be
>/var/grouper/installGrouper2.4
>
>
>(2) I get an error during the upgrade process. My server is on a secure
>network so it can't download patch files from the internet. I downloaded the
>tar file which contains all patches
>http://software.internet2.edu/grouper/release/2.4.0/grouper.all-2.4.0.tar.gz
>
>I uncompressed and extracted the contents to this directory
>/var/grouper/grouper.all-2.4.0
>
>I created a properties file that points to the new directory
>
>$ cat /var/grouper/installGrouper2.3/grouper.installer.properties
>download.server.url = /var/grouper/grouper.all-2.4.0
>
># default version to install
>grouper.version = 2.4.0
>
>I ran the installer with the "upgrade" option but it gets an error when it
>tries to access one of the 2.3 patch files. It's looking for a 2.3 patch
>file in the 2.4 directory that was recently downloaded.
>
>##################################
>Gather upgrade information
>
>Enter in a Grouper temp directory to download tarballs (note: better if no
>spaces or special chars) [/var/grouper/installGrouper2.3/tarballs]:
>/tmp/grouper/patches
>You need to revert all patches to upgrade
>
>################ Checking patch grouper_v2_3_0_api_patch_88
>Patch: grouper_v2_3_0_api_patch_88: was applied on: 2018/02/08 16:05:53
>
>Error connecting to URL:
>/var/grouper/grouper.all-2.4.0/release/2.3.0/patches/grouper_v2_3_0_api_patch_88.tar.gz
>Exception in thread "main" java.lang.RuntimeException: Error connecting to
>URL:
>/var/grouper/grouper.all-2.4.0/release/2.3.0/patches/grouper_v2_3_0_api_patch_88.tar.gz,
>
>I have attached the session log to this message.
>
>Ben
>
--
Baron Fujimoto <> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
- Re: [grouper-users] upgrading to 2.4, Ben Beecher, 04/02/2019
- RE: [grouper-users] upgrading to 2.4, Hyzer, Chris, 04/03/2019
- Re: [grouper-users] upgrading to 2.4, Ben Beecher, 04/15/2019
- RE: [grouper-users] upgrading to 2.4, Redman, Chad, 04/16/2019
- Re: [grouper-users] upgrading to 2.4, Baron Fujimoto, 04/16/2019
- RE: [grouper-users] upgrading to 2.4, Redman, Chad, 04/16/2019
- Re: [grouper-users] upgrading to 2.4, Ben Beecher, 04/25/2019
- RE: [grouper-users] upgrading to 2.4, Redman, Chad, 04/16/2019
- Re: [grouper-users] upgrading to 2.4, Baron Fujimoto, 04/16/2019
- RE: [grouper-users] upgrading to 2.4, Redman, Chad, 04/16/2019
- Re: [grouper-users] upgrading to 2.4, Ben Beecher, 04/15/2019
- RE: [grouper-users] upgrading to 2.4, Hyzer, Chris, 04/03/2019
Archive powered by MHonArc 2.6.19.