Out of the box, grouper-ws uses Grouper built-in basic authentication with usernames and passwords hashed and stored in the grouper database.
This authentication is built-in to Grouper and does not use tomcat or apache authentication
Manage users
Enter your own values for:
- ***PRINCIPAL***
- ***PASSWORD***
Until there is a UI you can remove accounts in the database in the grouper_password table (or we can add more GSH methods)
cd /opt/grouper/grouperWebapp/WEB-INF/bin vi addUser.gsh grouperPasswordSave = new GrouperPasswordSave(); grouperPasswordSave.assignUsername("***PRINCIPAL***").assignPassword("***PASSWORD***").assignEntityType("username"); grouperPasswordSave.assignApplication(GrouperPassword.Application.UI); new Authentication().assignUserPassword(grouperPasswordSave); ./gsh.sh addUser.gsh
Configure
This is on by default if you start a Grouper container v2.5 with "ws". But here are some details. Note the file locations in the container are listed in the v2.5 container documentation
File | Value | Description |
---|---|---|
grouper.hibernate.properties | grouper.is.ws.basicAuthn=true | This enabled the built-in Grouper authentication with passwords in the database |
web.xml | No security-constraints or login-configs | This is the default provided with container, do not overlay |
server.xml | ajp 8009 connector element: tomcatAuthentication="false" | This is the default provided with container, do not overlay Tomcat is not doing authn so that attribute needs to be false |
grouper-ws.properties | ws.security.non-rampart.authentication.class = | This should be blank (get remote_user) This is the default provided with container, do not overlay |