Out of the box, grouper-ws uses Grouper built-in basic authentication with usernames and passwords hashed and stored in the grouper database (after enabling it).
This authentication is built-in to Grouper and does not use tomcat or apache authentication
Manage users
Enter your own values for:
- ***PRINCIPAL***
- ***PASSWORD***
Until there is a UI you can remove accounts in the database in the grouper_password table (or we can add more GSH methods)
cd /opt/grouper/grouperWebapp/WEB-INF/bin
vi addUser.gsh
grouperPasswordSave = new GrouperPasswordSave();
grouperPasswordSave.assignUsername("***PRINCIPAL***").assignPassword("***PASSWORD***").assignEntityType("username");
grouperPasswordSave.assignApplication(GrouperPassword.Application.UI);
new Authentication().assignUserPassword(grouperPasswordSave);
./gsh.sh addUser.gsh
Configure
This is on by default if you start a Grouper container v2.5 with "ws". But here are some details. Note the file locations in the container are listed in the v2.5 container documentation
| File | Value | Description |
|---|---|---|
| grouper.hibernate.properties | grouper.is.ws.basicAuthn=true | This enables the built-in Grouper authentication with passwords in the database |
| web.xml | No security-constraints or login-configs | This is the default provided with container, do not overlay |
| server.xml | ajp 8009 connector element: tomcatAuthentication="false" | This is the default provided with container, do not overlay Tomcat is not doing authn so that attribute needs to be false |
| grouper-ws.properties | ws.security.non-rampart.authentication.class = | This should be blank (get remote_user) This is the default provided with container, do not overlay |
| grouper-www.conf | no AuthType directives | This is the default provided with container, do not overlay |