Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] tomcat-8.5 forbidden error: can't figure out

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] tomcat-8.5 forbidden error: can't figure out


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "" <>, Francesco Malvezzi <>
  • Subject: Re: [grouper-users] tomcat-8.5 forbidden error: can't figure out
  • Date: Wed, 22 Jul 2020 15:10:07 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UphKuoCO0A43Y4qrJN40tFG0/M5HkOuS5wQOoravWSQ=; b=Fdugm2MHEDPYiWqZWCeJz9n95o6A8S970yIA6i3aSU9zI6wsqFv7s2lvc7r8eiF7YjkXn10x4Z/7nSZovekWZICs9bzDgAHXOSW7TXj5Nk6DhPwhbl3n4XWiiOjZTOXFv+CYv8PtTH+yQgHY3KPclCcNaA+waNg5hcwHWmn0oNBU0dQQrLkCCvl3f3a63aQDz0JSGSUxCPDAEphsgGCkpyNwz0lpDyd2hu4t7snK7+0zmM04WmIww8gywyVF3k+HZ1/mq9jiuP3NHI+G1qkUdrIhrQqQv03QGqwmbjO1OOUMb5vWzeOHb9XrsfoIfWFwo/s22E3NwX3QlUMUurJ3GA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XLWMa6xUen+hbUa8Ih9K7omWu1FjHz/9KZ4zcKSPlbxlvHn3izgRd4oPDeYpryPkLJZ7qmSIwtXr8V4W59XxCazNB4P0l5xPGWHV+kk6A7+d7LPNx7os7dI/jw7NQtotSFxKydk58ozlhA18bmKXNOqfTHdpfj8cNjjDKJb8lm/IdAOEEosftdVNoa8RKm8QlXcNXp65Jfrppv9AQkg+6P5aPe9Tkb9OT6vZR5tIhZPSKdgG4beRnVwVu9ZVnPqce9yMRlksHuJTCYSP5eAoevUufxcglcPAy8SO669XDBy4C9SOl3MWzWTkq+WyqNFIlZA+lB7Xe0mn5W1DC8T/DA==

First off, pease upgrade to 2.5.33 instead.

Second, try setting this in log4j.properties:

log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG


Anything helpful in logs?

From: <> on behalf of Francesco Malvezzi <>
Sent: Wednesday, July 22, 2020 10:34 AM
To: <>
Subject: [grouper-users] tomcat-8.5 forbidden error: can't figure out
 
hi all,

it's not exactly a grouper issue, but while migrating from grouper-2.3.0
  to grouper-2.4.0 (that requires tomcat-8.5) I can't get rid of the 403
Forbidden error "The server understood the request but refuses to
authorize it."

Authentication is delegated to shibboleth-sp; there is apache2 as
tomcat's reverse proxy.

The HTTP Status 403 Forbidden show up after a successful Shibboleth
authentication; the apache2's logs show the correct REMOTE_USER.

So I think something is wrong on tomcat-8.5.

I doubled checked the Authentication using Shibboleth Single Sign-on
(SSO) document [1] but I am clueless.

The connector in server.xml is pretty normal:

<!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector protocol="AJP/1.3"
               tomcatAuthentication="false"
               tomcatAuthorization="false"
               secretRequired="false"
               port="8009"
               URIEncoding="UTF-8"
               address="::1"
               redirectPort="8443" />

The security-constraint, login-config, and security-role sections have
been stripped away from ${grouper.ui}/dist/grouper/WEB-INF/web.xml.

I would add there is nothing in the logs. Just a plain line in
localhost_access_log.2020-07-22.txt:
*.*.*.* - - [22/Jul/2020:15:46:18 +0200] "GET /grouper/index.jsp
HTTP/1.1" 403 618

Thank you so much if you could point me to the right direction!

Francesco

[1]
https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI



Archive powered by MHonArc 2.6.19.

Top of Page