Skip to Content.
Sympa Menu

grouper-users - [grouper-users] tomcat-8.5 forbidden error: can't figure out

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] tomcat-8.5 forbidden error: can't figure out


Chronological Thread 
  • From: Francesco Malvezzi <>
  • To:
  • Subject: [grouper-users] tomcat-8.5 forbidden error: can't figure out
  • Date: Wed, 22 Jul 2020 16:34:45 +0200

hi all,

it's not exactly a grouper issue, but while migrating from grouper-2.3.0
to grouper-2.4.0 (that requires tomcat-8.5) I can't get rid of the 403
Forbidden error "The server understood the request but refuses to
authorize it."

Authentication is delegated to shibboleth-sp; there is apache2 as
tomcat's reverse proxy.

The HTTP Status 403 Forbidden show up after a successful Shibboleth
authentication; the apache2's logs show the correct REMOTE_USER.

So I think something is wrong on tomcat-8.5.

I doubled checked the Authentication using Shibboleth Single Sign-on
(SSO) document [1] but I am clueless.

The connector in server.xml is pretty normal:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector protocol="AJP/1.3"
tomcatAuthentication="false"
tomcatAuthorization="false"
secretRequired="false"
port="8009"
URIEncoding="UTF-8"
address="::1"
redirectPort="8443" />

The security-constraint, login-config, and security-role sections have
been stripped away from ${grouper.ui}/dist/grouper/WEB-INF/web.xml.

I would add there is nothing in the logs. Just a plain line in
localhost_access_log.2020-07-22.txt:
*.*.*.* - - [22/Jul/2020:15:46:18 +0200] "GET /grouper/index.jsp
HTTP/1.1" 403 618

Thank you so much if you could point me to the right direction!

Francesco

[1]
https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI



Archive powered by MHonArc 2.6.19.

Top of Page