Grouper Users - Open Discussion List

[Jonathan Keller <>]

Just following up on my earlier email.

TL;DR - never got web.xml AuthN working - fell back to mod_auth_cas in the Apache server which did work.

Writing up my findings for others on the authN issue with the 2.5+ containers:

First, the web.xml version seems to be broken.  The changes to the container whereas the servlet config is driven by the file:

/opt/grouper/grouperWebapp/WEB-INF/classes/META-INF/services/javax.servlet.ServletContainerInitializer 

and the https://github.com/Internet2/grouper/blob/master/grouper/src/grouper/edu/internet2/middleware/grouper/j2ee/CommonServletContainerInitializer.java  class it points to results in the filters which you would add in web.xml being processed after the other components of the system, so the user ID is not available at the time the grouper components are reading the HTTP request headers.

I also could not get the Tomcat Valve method to work.  I am not sure why.  I installed the valve as documented and added the login-config and security-constraints to the web.xml, but the redirect to the CAS server would never happen.  (I've never used Tomcat AuthN via Valves before - so I'm assuming I just missed something here.)

I DID finally get CAS AuthN working by installing mod_auth_cas into the container via yum and then pushing in the configuration it via grouperScriptHooks_setupFilesPost() so that I could limit it to the UI server container.  (We do have Shib at UCD, but was not ready to attempt that setup at the current stage.)

--

Jonathan Keller

Application Architect - Administrative IT

On Aug 28, 2020, at 2:49 PM, Jonathan Keller <> wrote:

I'm hoping this is a quick question for someone.  I am trying to get our local campus CAS authentication integrated with the Grouper UI.  I've been following the setup instructions here:

https://spaces.at.internet2.edu/display/Grouper/Authentication+to+the+Grouper+UI

And using the Tomcat web.xml version of the setup.

I have the redirect working, and the CAS servers are redirecting back.  Debug logging shows that the ticket validation is working - I can see my user ID coming back in the XML response from our servers.

However, the resulting user ID does not seem to be getting extracted into the servlet request by the HttpServletRequestWrapperFilter.  I've checked the code of that class, and it attempting to extract the assertion into the getRemoteUser() method of the request, which the above documentation says will be used by the Grouper UI.  However, I'm getting the (dreaded?) 

"You have an anonymous session since you are not logged in,..." message.

Given what I am seeing, it would appear that either the filter is not running, or is not instrumenting the servlet request which is executing the UI.  I'm hoping there is just some additional configuration that I'm missing.  My setup is pretty much like the documentation except for using these for the init params:

<init-param>

<param-name>casServerUrlPrefix</param-name>

<param-value>https://${casHost}/cas</param-value>

</init-param>

<init-param>

<param-name>service</param-name>

<param-value>${serverName}/grouper/</param-value>

</init-param>

I also upgraded to the Cas30ProxyReceivingTicketValidationFilter - but the problem existed with the 2.0 proxy as well.

Any help would be appreciated.

Thanks.

--

Jonathan Keller

Application Architect - Administrative IT

<image001.png>