Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Table of Contents

Add a new password via gsh for UI

Code Block
v2.5.29+
new GrouperPasswordSave().assignApplication(GrouperPassword.Application.UI).assignUsername("GrouperSystem").assignPassword("password").save();

Add a new password via gsh for WS

Note: if you are setting a password for a local entity to do web service calls, you should probably use the uuid (unique id) as the username, though the system name (id) might work too (it works in grouper client).  Colons shouldnt be used in HTTP usernames, so the uuid is better

Code Block
v2.5.29+
new GrouperPasswordSave().assignApplication(GrouperPassword.Application.WS).assignUsername("GrouperSystem").assignPassword("password").save();

Local entity with uuid
new GrouperPasswordSave().assignApplication(GrouperPassword.Application.WS).assignUsername("7a7937ad646849fc8278fb2fc6c45156").assignPassword("password").save();


Example with local entity and WS authentication

For example with container 2.5.36

...

Code Block
mchyzer@ISC20-0637-WL:~/container$ curl --insecure --user 1ebc381f335c4c6f8dadfc5b76e85dc8:myPass https://localhost:443/grouper-ws/servicesRest/v2_5_000/groups/test%3AtestGroup/members


Summary

This page outlines the approach to authentication to UI and web services in Grouper 2.5 and above.

...

Complexity?  Grouper assigns complex passwords

Password table in Grouper: grouper_password

Note, even if Grouper is not doing authn, it could still restrict the source address.  For WS, any authns would get a record inserted or updated here

ColumnTypeDescription
idvarchar (40)uuid of this entry (one user could have ui and ws credential)
usernamevarchar (255)username or local entity system name
member_idvarchar(40)this is a reference to the grouper members table.  dont make a foreign key right now.  When someone logs in, save their GrouperPassword object in the request somewhere, and when the subject is resolved, if the member id resolved doesnt match the member id in the GrouperPassword row, then update it and store to the database.  this column should have a non-unique index (since same entity can have multiple rows here)
entity_typevarchar (20)username or localEntity
is_hashedvarchar (1)T for is hashed, F for is public key
encryption_typevarchar (20)e.g. SHA-256 or RS-256 (key type)
the_saltvarchar (255)secure random prepended to hashed pass
the_passwordvarchar (4000)encrypted public key or encrypted hashed salted password
applicationvarchar (20)ws (includes scim) or ui
allowed_from_cidrsvarchar (4000)network cidrs where credential is allowed from
recent_source_addressesvarchar (4000)

json with timestamps. only successes. (limit to most recent 20)


Code Block
[
{ millis: 123455667,
  ip: "1.2.3.4"
},
{ millis: 123455669,
  ip: "1.2.3.5"
}
]

To parse

Code Block
from json to JSONObject to array
System.arrayCopy, move index 0-(length-1) -> 1-(length), add most recent to index 0
convert back to JSON array and object and string and store


failed_source_addressesvarchar (4000)

if restricted by cidr, this was failed IPs (json with timestamp?) (limit to most recent 10)

Code Block
[
{ millis: 123455667,
  ip: "1.2.3.4"
},
{ millis: 123455669,
  ip: "1.2.3.5"
}
]


last_authenticatedtimestampwhen last authenticated successful
last_editedtimestampwhen this was last edited
failed_loginsvarchar (4000)

Keep 20

Code Block
[
{ millis: 123455667,
  ip: "1.2.3.4"
},
{ millis: 123455669,
  ip: "1.2.3.5"
}
]



JWT table recently used in Grouper: grouper_password_recently_used

A process would clean these out after the configured drift (10 minutes)

...

ColumnTypeDescription
idvarchar(40)uuid of this row (primary key)
grouper_password_idvarchar(40)foreign key to grouper_password table
jwt_jtivarchar (100)e.g. uuid of this entry (sent from client)
jwt_iatinteger (11)seconds since 1970 that this was issued

Manage passwords

UI for admins to set a user's (or local entity's) UI password or could restrict source IP cidrs.  UI passwords would need to follow strength rules

...

Admins and end users can not view or re-download passwords or private keys

Basic authn built in to Grouper

If configured (for quick start only), the UI could use basic auth and use passwords configured for users

Its possible users could reset their password using their old password to authenticate.

Passwords for WS

Your LDAP or Kerberos or apache or tomcat authn would still work.  Its possible there could be multiple allowed... i.e. to transition into local entity JWT authn.  Depending on configuration.

...