...
For a UI/WS that was installed using the Grouper Installer, Tomcat authentication using web.xml security-constraint directives is not used by default since v2.5. It has been replaced by a Grouper authentication module that stores usernames and encrypted passwords in the database. See this page for further explanation. It is not enabled by default, except for a quickstart container. It is enabled by setting container parameters GROUPER_UI_GROUPER_AUTH and GROUPER_WS_GROUPER_AUTH, or by grouper.hibernate.properties parameters grouper.is.ui.basicAuthn and grouper.is.ws.basicAuthn. It is not recommended to use tomcat-users.xml anymore, but it can be added back manually if desired. Besides built-in authentication, external authentication services like Shibboleth and CAS are excellent options.
...
This will assume that you have disabled other environment variable enabled methods of authentication and that you are building your own local docker image for deployment as per Install the Grouper v2.5 container with maturity level 1 manually.
- Create a directory for your docker overlay and create the directory
slashRoot
inside it. Create a
Dockerfile
with at least the following contents.ARG GROUPER_VERSION=2.5.XX
FROM i2incommon/grouper:${GROUPER_VERSION}
# Need to install CAS so it can be used at the Apache server level
RUN yum -y install mod_auth_cas
# this will overlay all the files from /opt/grouperContainer/slashRoot on to /
COPY slashRoot /
RUN chown -R tomcat:tomcat /opt/grouper \
&& chown -R tomcat:tomcat /opt/tomee
- Add the files below under
slashRoot
:/etc/httpd/conf.d/auth_cas.conf.cas
Code Block language xml title auth_cas.conf.cas collapse true CASCookiePath /var/cache/httpd/mod_auth_cas/ CASLoginURL https://__CAS_HOST_NAME__/cas/login CASValidateURL https://__CAS_HOST_NAME__/cas/serviceValidate CASRootProxiedAs https://__GROUPER_UI_HOST_NAME__ #CASDebug On CASVersion 2 <Location /grouper> Authtype CAS require valid-user </Location>
- /usr/local/bin/grouperScriptHooks.sh
This hook script only installs the CAS filter in the apache layer when running the UI. It copies the file above over the default installed by yum, and then replaces the placeholder text with environment variables.
Code Block language bash title grouperScriptHooks.sh collapse true #!/bin/sh # called at the beginning of the container startup # after logging is setup # grouperScriptHooks_prepConfPost() { # return # } # called after the component command has been prepped # grouperScriptHooks_prepComponentPost() { # return # } # called after the finishPrep is called before the setupFiles # grouperScriptHooks_finishPrepPost() { # return # } # called after the setupFiles functions is called, almost before the process starts grouperScriptHooks_setupFilesPost() { echo "RUNNING CUSTOM grouperScriptHooks_setupFilesPost: GROUPER_UI=$GROUPER_UI" if [ "$GROUPER_UI" = "true" ]; then # Install needed CAS configuration cp -v /etc/httpd/conf.d/auth_cas.conf.cas /etc/httpd/conf.d/auth_cas.conf # Populate with this instance's hostnames sed -i "s|__CAS_HOST_NAME__|$CUSTOM_CAS_HOST_NAME|g" /etc/httpd/conf.d/auth_cas.conf sed -i "s|__GROUPER_UI_HOST_NAME__|$GROUPER_APACHE_SERVER_NAME|g" /etc/httpd/conf.d/auth_cas.conf echo "Enabled CAS Authentication Using CAS_HOST_NAME=$CUSTOM_CAS_HOST_NAME" fi return } # called after the chown at end of setupFiles, right before the process starts # grouperScriptHooks_setupFilesPostChown() { # return # } # export everything export -f grouperScriptHooks_setupFilesPost
Either in your dockerfile with ENV commands or upon startup of your container, set the following environment variables:
GROUPER_APACHE_SERVER_NAME
: host name (no scheme or path) of the server. Will be used in the Apache ServerName directive and to build the service URL used for redirects back from CAS.CUSTOM_CAS_HOST_NAME
: host name (no scheme or path) of the CAS server.
- You will also likely want to set
GROUPERUI_LOGOUT_REDIRECTTOURL
tohttp://${CUSTOM_CAS_HOST_NAME}/cas/logout
Build and tag your docker image and then run as per the install instruction page linked above. As with the other authentication methods, you should be able to see that the user ID from CAS has been proxied through by turning on logging by adding the below to your log4j.properties file.
log4j.logger.edu.internet2.middleware.grouper.ui.GrouperUiFilter = DEBUG
...
|
See Also
Authentication to UI and Web Services in Grouper v2.5+
Grouper Web Services Authentication
...