Grouper Users - Open Discussion List

[Francesco Malvezzi <>]

hi all,

it's not exactly a grouper issue, but while migrating from grouper-2.3.0
  to grouper-2.4.0 (that requires tomcat-8.5) I can't get rid of the 403
Forbidden error "The server understood the request but refuses to
authorize it."

Authentication is delegated to shibboleth-sp; there is apache2 as
tomcat's reverse proxy.

The HTTP Status 403 Forbidden show up after a successful Shibboleth
authentication; the apache2's logs show the correct REMOTE_USER.

So I think something is wrong on tomcat-8.5.

I doubled checked the Authentication using Shibboleth Single Sign-on
(SSO) document [1] but I am clueless.

The connector in server.xml is pretty normal:

<!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector protocol="AJP/1.3"
               tomcatAuthentication="false"
               tomcatAuthorization="false"
               secretRequired="false"
               port="8009"
               URIEncoding="UTF-8"
               address="::1"
               redirectPort="8443" />

The security-constraint, login-config, and security-role sections have
been stripped away from ${grouper.ui}/dist/grouper/WEB-INF/web.xml.

I would add there is nothing in the logs. Just a plain line in
localhost_access_log.2020-07-22.txt:
*.*.*.* - - [22/Jul/2020:15:46:18 +0200] "GET /grouper/index.jsp
HTTP/1.1" 403 618

Thank you so much if you could point me to the right direction!

Francesco

[1]
https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI