Securing CAS 5.0 Management Webapp
79 views
Skip to first unread message
Richard Frovarp
Nov 21, 2016, 5:37:48 PM11/21/16
to CAS Community
I'm having difficulty understanding how to configure the security layer
for the CAS management webapp, if I don't want to use a static list.
If I provide cas.mgmt.authzAttributes=memberOf, then it would seem that
I should set cas.mgmt.adminRoles to the group.
In theory this might seem like it should work. However, AD groups have
commas in them, and the code is splitting on commas. The Spring
documentation for the method is a bit vague, but it appears that quoting
the string that you don't want split, doesn't work. This is despite
StringUtils in Spring referring to CSV. So there is no way for the whole
to be equal to the first bit.
Is this a bug, or am I just doing it wrong?
Documentation for the LDAP module is lacking, and I can't quite guess
what I'm supposed to do there. I was thinking about using the
userPropertiesFile, but that doesn't appear to be read after startup. So
I'd have to have Puppet update the static file, then manually restart
the management application (via Tomcat Manager, which is protected by CAS).
Thanks,
Richard
for the CAS management webapp, if I don't want to use a static list.
If I provide cas.mgmt.authzAttributes=memberOf, then it would seem that
I should set cas.mgmt.adminRoles to the group.
In theory this might seem like it should work. However, AD groups have
commas in them, and the code is splitting on commas. The Spring
documentation for the method is a bit vague, but it appears that quoting
the string that you don't want split, doesn't work. This is despite
StringUtils in Spring referring to CSV. So there is no way for the whole
to be equal to the first bit.
Is this a bug, or am I just doing it wrong?
Documentation for the LDAP module is lacking, and I can't quite guess
what I'm supposed to do there. I was thinking about using the
userPropertiesFile, but that doesn't appear to be read after startup. So
I'd have to have Puppet update the static file, then manually restart
the management application (via Tomcat Manager, which is protected by CAS).
Thanks,
Richard
Misagh Moayyed
Nov 22, 2016, 10:23:43 AM11/22/16
to cas-...@apereo.org
This could be classified as a bug, yes. You're welcome to file an issue, or
write your own authorizer that knows how to handle commas better.
--Misagh
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75874cc7-09a5-6050-88a9-57659a15997b%40ndsu.edu.
write your own authorizer that knows how to handle commas better.
--Misagh
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+u...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75874cc7-09a5-6050-88a9-57659a15997b%40ndsu.edu.
Reply all
Reply to author
Forward
0 new messages