how to access admin or management page?

[Tim Tyler]

I am running CAS 5.2 and have configured ldap for authentication.  But I still have not figured out how to access the admin or management page.  What do I need to configure to login to the management page? 

Do I need to define an admin account?  Do I need to define the Admin Status Endpoints per https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html ?

 

Do I need to create an adminusers.properties file?  Can I define an existing ldap user as an admin to access the management page(s)?

 

 

 

Tim Tyler

Network Engineer

Beloit College

 

[David Curry]

Here is one way to do it. It's not the only way, since CAS gives you so many options, but it should be enough to get you started.

1. Set these to enable the dashboard (these settings enable all of the endpoints; you can also pick and choose):

cas.adminPagesSecurity.actuatorEndpointsEnabled:  true

cas.monitor.endpoints.enabled:                    true

endpoints.enabled:                                true

2. Set this to a regular expression that matches the IP address(es) you want to allow access from:

cas.adminPagesSecurity.ip:              ^192\\.168\\.(50\\.[0-9]{1,3}|1\\.[12]0)$

(This example matches 192.168.50.*, 192.168.1.10, and 192.168.1.20; the intention is that the first pattern is the "IT subnet" where the administrators live, and the other two IPs are the internal IPs of the load balancers, which will be using the /status endpoint to check that the server is up and running.)

3. Set these to enable CAS authentication (as opposed to Spring Security) authentication:

cas.monitor.endpoints.sensitive:        false

endpoints.sensitive:                    false

The CAS documentation explains other alternatives, if you want to use Spring Security instead of CAS. 

4. Configure CAS to perform the authentication:

cas.adminPagesSecurity.loginUrl:        ${cas.server.prefix}/login

cas.adminPagesSecurity.service:         ${cas.server.prefix}/status/dashboard

cas.adminPagesSecurity.users:           file:/etc/cas/config/admusers.properties

cas.adminPagesSecurity.adminRoles[0]:   ROLE_ADMIN

5. Create an admusers.properties file (use whatever name you gave it in the property above). List one user per line and give them whatever role you defined above. This files does NOT create new users, it just lists the usernames (which exist in LDAP or AD or whatever) who can access the dashboard. Their password is whatever they use when authenticating to the CAS server. In this case, it's a user named "gnarls":

# This file lists the users who are allowed access to the CAS /status/*

# endpoints ("adminpages").

#

# The syntax for each line is:

#

# username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

#

gnarls=passwordnotused,ROLE_ADMIN

6. Create a service registry entry for the dashboard (in /etc/cas/services/CASAdminDashboard-123456789.json or wherever):

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://casserver.your.dom.ain/cas/status/dashboard(\\z|/.*)",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 5000

}

Restart the server, point your web browser at https://casserver.your.dom.ain/cas/staus/dashboard, and log in as the user(s) you listed in the admusers.properties file.

For a more detailed description (same steps, but more explanation behind them), see https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/357545e0243806517d1dac6eed8c06ee%40mail.gmail.com.

[Tim Tyler]

Dave, others,

  Ok, I think I am getting closer but I am getting the error shown below.  I should note that there was no etc/cas/services directory so I had to create the service directory manually before creating the etc/cas/services/CASAdminDashboard-123456789.json file. I included the port :8443 with the hostname.  I assume I need it.  I should also point out that I am using the equal sign format for variables in cas.properties.  I am not sure how the colon format works or if it is even appropriate for cas.properties.

 

I got this warning when starting up:

 

<No registered service is found to match [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@514d45fe[id=https://cas.beloit.edu:8443/cas/status/dashboard,originalUrl=https://cas.beloit.edu:8443/cas/status/dashboard,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] or service access is disallowed. Using default theme [cas-theme-default]>

 

This is how the json entry for service looks:

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^https://cas.beloit.edu:8443/cas/status/dashboard(\\z|/.*)",

  "name" : "CAS Admin Dashboard",

  "id" : 123456789,

  "description" : "CAS dashboard and administrative endpoints",

  "evaluationOrder" : 5000

}

 

 

 

 

 

Tim

--

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/357545e0243806517d1dac6eed8c06ee%40mail.gmail.com.

 

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAON5qRK1A8U-3vgufMYby%2BOMQi_VsknpScpF2zbSHsqEQ%40mail.gmail.com.

[Ray Bon]

Tim,

Your regex is looking for dashboard at the end of the string or followed by / and some optional characters. Your service has dashboard followed by ,original...

You could try this (\\z|/?.*) to make the / optional.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[David Curry]

Hi Tim,

I'm wondering, since you said you had to create the directory... Have you configured a service registry (JSON or otherwise) into your server, or are you still using the default "registry" that comes out-of-the-box?

Putting the JSON service description into /etc/cas/services only works if you've configured the JSON service registry in pom.xml (and set the cas.serviceRegistry.json.location property to point there). I think when I responded to you I wasn't paying attention and assumed you were the same person who was asking about setting that location in a different thread, so I just assumed you were using the JSON service registry.

Anyway, the service description I gave you needs to go into whatever you're using as your service registry. If you haven't configured one and you're still using the default, then you would need to create that file such that it ends up in classpath:/services (.../WEB-INF/classes/services).

(If you haven't set up a service registry, you really ought to -- the classpath:/services default is really only intended to give you a couple of "wildcard" services to work with until you get to that point; it's not intended as a production solution.)

Hope this helps and sorry for any confusion.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/357545e0243806517d1dac6eed8c06ee%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAON5qRK1A8U-3vgufMYby%2BOMQi_VsknpScpF2zbSHsqEQ%40mail.gmail.com.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6614892d02e51ed93812d43a1a6a5057%40mail.gmail.com.

[Tim Tyler]

Dave,

Thanks a ton!  I think that advice worked.    

Tim

 

--

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/357545e0243806517d1dac6eed8c06ee%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAON5qRK1A8U-3vgufMYby%2BOMQi_VsknpScpF2zbSHsqEQ%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6614892d02e51ed93812d43a1a6a5057%40mail.gmail.com.

 

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO-enLWkNgj-PBAsSng0i%3D6d7rt0BF2i2qxucDNutQZcA%40mail.gmail.com.