Failed to parse address

[Arkady Keppert]

I'm getting errors while checking the status of cas:

2023-02-23 14:48:34,931 WARN [org.apereo.cas.util.function.FunctionUtils] - <Failed to parse address127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|xxx.xxx.xxx.xx|10.xx.xx.*
        IpAddressMatcher.java:parseAddress:96
        IpAddressMatcher.java:<init>:58
        CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297

my cas.properties looks like this :

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.required-ip-addresses= 127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|10.xx.xx.*

cas.monitor.endpoints.endpoint.health.access[0]=IP_ADDRESS
cas.monitor.endpoints.endpoint.health.required-ip-addresses[0]=127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|xxx.xxx.xxx.xx|10.xx.xx.*
cas.monitor.endpoints.endpoint.dashboard.access[0]=IP_ADDRESS
cas.monitor.endpoints.endpoint.dashboard.required-ip-addresses[0]=127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|xxx.xxx.xxx.xx|10.xx.xx.*

# discoveryProfile used by cas-management, WORKS only by IP address access. Restrict it.
cas.monitor.endpoints.endpoint.discoveryProfile.access[0]=IP_ADDRESS
cas.monitor.endpoints.endpoint.discoveryProfile.required-ip-addresses[0]=127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|xxx.xxx.xxx.xx|10.xx.xx.*

cas version : 6.6.6

tomcat version : 9.0.71

Does anyone have similar problems or a solution

[Ray Bon]

Arkady,

Do you get the error with one ip (127.0.0.1)?

Does an * work for the ip or do you need to use CIDR.

You may need to use , instead of |

See

https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/

https://fawnoos.com/2022/03/06/cas66-healthstatus-springboot/

Ray

On Thu, 2023-02-23 at 06:00 -0800, Arkady Keppert wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Ray Bon]

And see the link that Dimitry provided in this convo, https://groups.google.com/a/apereo.org/g/cas-user/c/4cfgQCOhx14/m/Ko-LwxttBAAJ

Ray

On Thu, 2023-02-23 at 06:00 -0800, Arkady Keppert wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Arkady Keppert]

If i leave only one ip addres everything is working fine. I did try before with comma  separated  and the result is the same but when comma  separated  it wont let me in even when i provide my ip addres. 

2023-02-24 07:31:45,593 WARN [org.apereo.cas.util.function.FunctionUtils] - <Failed to parse address127.0.0.1,10.xx.xx.*

        IpAddressMatcher.java:parseAddress:96
        IpAddressMatcher.java:<init>:58
        CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297
>

2023-02-24 07:31:45,593 WARN [org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter] - <Provided regular expression or IP/netmask [[127.0.0.1,10.xx.xx.*]] does not match [10.xx.xx.7]>

Everything is working fine on version 6.5.9 with the same setting and ip separated with | - like  127.0.0.1|10.xx.xx.*

[Ray Bon]

Arkady,

Did you try without the '*'? (i.e. use specific ips)

Ray

[Arkady Keppert]

Ray,

Yes i did try without '*' but the result is the same. I dont get it everything is working fine on version 6.5.9 but it dont work on 6.6.6 with exactly the same settings. Noone else is getting the same errors ? 

[Arkady Keppert]

I did also notice that i get errors in catalina.out like this :

2023-02-25 07:45:38,706 ERROR [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Cannot read/parse [{"@class":"org.apereo.cas.services.CasRegisteredService","serviceId":"https://xxx.xxx.xxxxxx.xxx.*","name":"xxx",...] to deserialize into type [interface org.apereo.cas.services.RegisteredService]. This may be caused in the absence of a configuration/support module that knows how to interpret the fragment, specially if the fragment describes a CAS registered service definition. Internal parsing error is [Could not resolve type id 'org.apereo.cas.services.CasRegisteredService' as a subtype of `org.apereo.cas.services.RegisteredService`: no such class found

But in cas.log i dont see this errors is this normal ?

[Arkady Keppert]

I did find erros in my configuration now its working fine :

cas.monitor.endpoints.endpoint.health.access[0]=IP_ADDRESS
cas.monitor.endpoints.endpoint.health.required-ip-addresses[0]=127.0.0.1|10.xx.xx.xx|10.xx.xx.xx|xxx.xxx.xxx.xx|10.xx.xx.*

I had to delete [0] and changed "|" to ", " then I stopped getting parse errors but it did't like wildcards so i had to put CIDR insted so in the end my config look like this :

cas.monitor.endpoints.endpoint.health.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.health.required-ip-addresses=127.0.0.1,10.xx.xx.xx,10.xx.xx.xx,xxx.xxx.xxx.xx,10.xx.xx.xx/24

But like i said before my old config worked well in version 6.5.x

[Jonathon Taylor]

Thanks for posting your fix.  I ran into the same issue moving from 6.5.x -> 6.6.x.  Using the CIDR notation and the property name changes also solved my errors.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f6d4882-a531-4b4d-b21a-a81e3fc63010n%40apereo.org.

--

Jonathon Taylor (he/him)

Information Security Office

jona...@berkeley.edu