Hi,
I am in the process of upgrading CAS from 5.2.2 to 5.3.0-RC2. CAS dashboard was working fine with 5.2.2 but when I switched to 5.3.0-RC2. It always returns forbidden. Not sure what I am missing here. Can anyone help please? CAS properties: cas.adminPagesSecurity.ip=127.0.0.1 cas.adminPagesSecurity.alternateIpHeaderName=X-Forwarded-For cas.adminPagesSecurity.loginUrl=https://localhost:8443/cas/login cas.adminPagesSecurity.service=https://localhost:8443/cas/status/dashboard cas.adminPagesSecurity.users=file:/opt/test/cas/config/adminusers.properties cas.adminPagesSecurity.adminRoles=ROLE_ADMIN security.basic.authorizeMode=role security.basic.enabled=true security.basic.path=/cas/status/** security.basic.realm=CAS cas.adminPagesSecurity.actuatorEndpointsEnabled=true cas.rest.attributeName=sAMAccountName cas.rest.attributeValue=sAMAccountName Registered a service: { "@class" : *"org.apereo.cas.services.RegexRegisteredService"*, "serviceId" : *"^https://localhost:8443/cas/status/dashboard"*, "name" : *"CAS Admin Dashboard"*, "id" : 10000011, "theme":*"iamadmin"*, "description" : *"CAS dashboard and administrative endpoints"*, "evaluationOrder" : 5000 } Referred: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html https://apereo.github.io/cas/development/installation/Configuration-Properties.html Debug logs: DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <=== SECURITY ===> 2018-05-11 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <url: https://localhost:8443/cas/status/dashboard> 2018-05-25 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <matchers: null> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <clients: CasClient> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <currentClients: [#DirectCasClient# | configuration: #CasConfiguration# | loginUrl: https://localhost:8443/cas/login | prefixUrl: https://localhost:8443/cas/ | restUrl: https://localhost:8443/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #DefaultCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@6577f727 | |]> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <loadProfilesFromSession: true> 2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <profiles: [#CasProfile# | id: testuser | attributes: {isFromNewLogin=true, [email protected], bypassMultifactorAuthentication=true, authenticationDate=2018-05-25T07:54:48.391-04:00[America/New_York], sAMAccountName=testuser, accountExpires=9223372036854775807, givenName=testuser, successfulAuthenticationHandlers=LdapAuthenticationHandler, cn=testuser, credentialType=RememberMeUsernamePasswordCredential, msDS-UserPasswordExpiryTimeComputed=9223372036854775807, bypassedMultifactorAuthenticationProviderId=mfa-duo, authenticationMethod=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=testuser, lockoutTime=0, username=testuser, pwdLastSet=131578106790314866, badPwdCount=0} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]> 2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.CacheControlHeader@6be8c6e5 -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XContentTypeOptionsHeader@3a99578a -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.StrictTransportSecurityHeader@b49fcda -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XFrameOptionsHeader@7b1cdf3e -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorizatio 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XSSProtectionHeader@31458155 -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: #CsrfTokenGeneratorAuthorizer# | csrfTokenGenerator: org.pac4j.core.authorization.authorizer.csrf.DefaultCsrfTokenGenerator@10dddcf8 | domain: null | path: / | httpOnly: null | secure: null | -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer@d0fa89f -> false> 2018-05-25 07:54:57,201 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <forbidden> RequireAnyRoleAuthorizer always returns false Thanks Naresh -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63f6553f-a2c4-4103-9b96-7cfa22cc274f%40apereo.org.
