For web services and UI authentication for Grouper v2.5 and above see this page
High level Grouper Web Services authentication
From a high level, grouper or the servlet container or web server or servlet filter will authenticate the user, and then the user needs to be resolved into a Subject.
Note the default and most popular authentication protocol in grouper-ws is http-basic (Authorization header), so for this and other reasons make sure your deployments of grouper-ws are protected with SSL. In the v2.5+ container there is a param to enable self-signed SSL certs for quick starts if you dont have a real certificate yet.
Types of authentication
- Self-service JWT
- JWT from trusted authority
- Grouper built-in basic authentication
- Grouper LDAP authentication
- Tomcat authentication
- Apache authentication
- Kerberos user/pass
- Custom authentication
- Rampart (on top of something else)
- SSL certificates. There is no documentation on this. Do this with Apache or Tomcat and pass in the REMOTE_USER.
- other? if you can get a REMOTE_USER via apache or tomcat plugin or filter, it will work with Grouper WS
Types of subject sources
When the authentication happens and the principal name is given to Grouper from the authentication source, it needs to be resolvable as a subject. There are a few options
- Use your existing subject source (e.g. ldap, if it can it hold accounts that represent systems)
- Grouper Local Entities
- Custom SQL table and source
Configure the default source in the grouper-ws.properties especially if you have subjectId overlap in various sources, but also to help with performance
To enable web service users to act as another user (proxy), enable the setting in the grouper-ws grouper.properties
If you specify a group name in there, you can pass in the actAs field if you connect to the web service as a user who is in the ws.act.as.group group. Here is an example with the axis generated client.
There are advanced settings, you can specify multiple groups in the grouper-ws.properties, and you can even limit who the users can act as (in a specific group).