Have any of you guys able to set this up using CAS v 5.3.2? I have tried everything document in this post and elsewhere for couple day to no avail.
Specifically, I'm getting "Access Denied" while trying to access https://<my-server-name>:8443/cas/status/dashboard after successfully signing in with ROLE_ADMIN user id from one single IP address of my second machine (IP: xxx.xxx.x.xxx) -------------- application.properties ------------------- cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.adminPagesSecurity.ip=127\.0\.0\.1|xxx\.xxx\.x\.xxx endpoints.restart.enabled=false endpoints.shutdown.enabled=false management.security.enabled=true management.security.roles=ACTUATOR,ROLE_ADMIN management.security.sessions=if_required management.context-path=/status management.add-application-context-header=false . . . cas.authn.accept.users=casadmin::<my-password> ---------------------------------------------------------------- ------------- adminusers.properties ------------------- casadmin=notused,ROLE_ADMIN ---------------------------------------------------------------- ------------------- cas.properties ------------------------ cas.adminPagesSecurity.loginUrl=https://<my-server-name>:8443/cas/login cas.adminPagesSecurity.service=https://<my-server-name> :8443/cas/status/dashboard cas.adminPagesSecurity.users=file:/adminusers.properties cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN cas.adminPagesSecurity.actuatorEndpointsEnabled=true cas.serviceRegistry.watcherEnabled=true cas.serviceRegistry.initFromJson=true ---------------------------------------------------------------- Note: I'm using STS (Spring Tool Suite) IDE, deploying to local Tomcat 8.5.32-x64. application.properties, cas.properties, and adminusers.properties are housed in src\main\resources project folder, and published to tomcat WEB-INF\classes folder when run from STS. It works if on same machine accessing via: http://localhost:8080/cas/status/dashboard https://localhost:8443/cas/status/dashboard and it doesn't even care if I signed in with my admin user id or not ( casadmin). Which is not a good thing either, but I can live with it for now. Thanks for your help, GTM On Thursday, June 29, 2017 at 2:12:03 PM UTC-4, Julien Whizz wrote: > > Here : > https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#spring-boot-endpoints > When i try to install Endpoint :) > > # casuser: This is the authenticated user id received from CAS # notused: > This is the password field that isn’t used by CAS. You could literally put > any value you want in its place. # ROLE_ADMIN: Role assigned to the > authorized user, which is then cross checked against CAS configuration. # > exemple : casuser=notused,ROLE_ADMIN myuser=notused,ROLE_ADMIN > > > > > > > > > Le mercredi 28 juin 2017 23:16:35 UTC+2, crdaudt a écrit : >> >> Thanks Julien. With your suggested change, /staus/dashboard is now >> working for me. >> >> I changed my entry for adminusers.properties to >> 'crdaudt=pwdnotuse,ROLE_ADMIN' >> (i.e., as you suggested). >> >> I changed the value of cas.adminPagesSecurity.ip to allow the ip address >> ranges of 10.11.12.0/24 and 14.15.16.0/24 as follows: >> >> cas.adminPagesSecurity.ip=^10\.11\.12\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$| >> ^14\.15\.16\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ >> >> My other parameters are as listed above. >> >> One further question: What does '=pwdnotuse' mean? Is this documented >> somewhere? >> >> Other than that, my issue is resolved. Thanks all! >> p.s. -- looking forward to more complete, updated documentation some day, >> and perhaps some more examples. Thanks for everyone's good hard work. >> >> On Wednesday, June 28, 2017 at 3:36:16 PM UTC-4, Julien Whizz wrote: >>> >>> Hi, >>> >>> I think IS : crdaudt=pwdnotuse,ROLE_ADMIN >>> >>> No ? >>> >>> Le 28 juin 2017 5:49 PM, "crdaudt" <[email protected]> a écrit : >>> >>> Thanks Iain. I have this working now for only filtering with IP >>> addresses. For those interested, I have the following in my cas.properties >>> file: >>> ----BEGIN snippet from cas.properties---- >>> ... >>> cas.monitor.endpoints.enabled=true >>> cas.monitor.endpoints.sensitive=false >>> cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17 >>> ----END---- >>> >>> However, to pick up on Julien's issue, I am not able to get this working >>> if I further restrict this to users logged in who are specified as >>> authorized users in my adminusers.properties file. >>> Here is what I have: >>> ----BEGIN snippet from cas.properties---- >>> ... >>> cas.monitor.endpoints.enabled=true >>> cas.monitor.endpoints.sensitive=false >>> cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17 >>> cas.adminPagesSecurity.loginUrl=https://my.test.cas.server/cas/login >>> cas.adminPagesSecurity.service= >>> https://my.test.cas.server/cas/status/dashboard >>> cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties >>> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN >>> cas.adminPagesSecurity.actuatorEndpointsEnabled=true >>> cas.serviceRegistry.watcherEnabled=true >>> cas.serviceRegistry.initFromJson=true >>> ----END---- >>> >>> And here are the contents of my adminusers.properties file (for now, I >>> only have my username listed): >>> ----BEGIN adminusers.properties---- >>> user=crdaudt,ROLE_ADMIN >>> ----END---- >>> >>> My results are as follows: >>> --When I visit https://my.test.cas.server/cas/status/dashboard, I am >>> redirected to login. >>> --When I log in, my logs show the following: >>> >>> ----BEGIN log snippet---- >>> > >>> 2017-06-28 11:42:01,961 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: crdaudt >>> WHAT: >>> TGT-**********************************************kloPuBba1M-my.test.cas.server >>> ACTION: TICKET_GRANTING_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jun 28 11:42:01 EDT 2017 >>> CLIENT IP ADDRESS: 10.11.12.13 >>> SERVER IP ADDRESS: 10.10.10.100 >>> ============================================================= >>> >>> > >>> 2017-06-28 11:42:02,001 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: crdaudt >>> WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server for >>> https://my.test.cas.server/cas/status/dashboard >>> ACTION: SERVICE_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Wed Jun 28 11:42:02 EDT 2017 >>> CLIENT IP ADDRESS: 10.11.12.13 >>> SERVER IP ADDRESS: 10.10.10.100 >>> ============================================================= >>> >>> > >>> 2017-06-28 11:42:02,206 INFO >>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: crdaudt >>> WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server >>> ACTION: SERVICE_TICKET_VALIDATED >>> APPLICATION: CAS >>> WHEN: Wed Jun 28 11:42:02 EDT 2017 >>> CLIENT IP ADDRESS: 10.11.12.13 >>> SERVER IP ADDRESS: 10.10.10.100 >>> ============================================================= >>> ----END---- >>> >>> I am then redirected to >>> https://my.test.cas.server/cas/status/dashboard?ticket=ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server, >>> >>> and informed that: "YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!". >>> >>> Any suggestions? >>> >>> >>> >>> On Tuesday, June 27, 2017 at 2:19:58 PM UTC-4, Iain Workman wrote: >>>> >>>> The cas.adminPagesSecurity.ip setting is interpreted as a regex which >>>> the sending ip of the request is matched against. If you can form a regex >>>> which will match only the required ips that will work. >>>> >>>> -- >>> - CAS gitter chatroom: https://gitter.im/apereo/cas >>> - CAS mailing list guidelines: >>> https://apereo.github.io/cas/Mailing-Lists.html >>> - CAS documentation website: https://apereo.github.io/cas >>> - CAS project website: https://github.com/apereo/cas >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/e315e2f4-4290-46d9-8680-29b7f5f62e10%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e315e2f4-4290-46d9-8680-29b7f5f62e10%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: >> https://apereo.github.io/cas/Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f2ce34f-8a54-4a2b-91a4-54aa1d6a2606%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f2ce34f-8a54-4a2b-91a4-54aa1d6a2606%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/53065915-28b4-423c-b037-44cfe5573ff4%40apereo.org.
