Palantir (management UI successor) Auth Island?

147 views
Skip to first unread message

Drew Northup

unread,
Mar 3, 2026, 5:03:00 PM (3 days ago) Mar 3
to cas-...@apereo.org
Am I understanding from the documentation correctly that Palantir is an Authentication Island? If so I'm going to need to get our CISO to sign off on the Risk Acceptance for that. (We do not permit password sharing for anything that may require auditing, such as major configuration changes.)

--
---------------------------+--------------------------------
Drew Northup               | 
University of Maine System |          drew.n...@Maine.edu
Computing Center           |
Orono, ME 04469            |

AJ

unread,
Mar 3, 2026, 5:55:49 PM (3 days ago) Mar 3
to cas-...@apereo.org
It uses Spring authentication, so yes. 
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>
Sent: Tuesday, March 3, 2026 1:08 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] Palantir (management UI successor) Auth Island?
 
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com.

Ray Bon

unread,
Mar 3, 2026, 8:44:12 PM (2 days ago) Mar 3
to cas-...@apereo.org
I modified our install to look in ldap for authn 
Have not had the time to put in a pull request. But the authn piece really should support any backend the main cas authn supports.

Ray

CasPalantirWebMvcConfiguration.java

package org.apereo.cas.config;

import ca.uvic.idm.cas.configuration.UvicConfigurationProperties;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.palantir.PalantirConstants;
import org.apereo.cas.palantir.controller.DashboardController;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apereo.cas.web.flow.CasWebflowConstants;
import lombok.val;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import jakarta.annotation.Nonnull;

/**
 * This is {@link CasPalantirWebMvcConfiguration}.
 *
 * @author Misagh Moayyed
 * @since 7.1.0
 */
@EnableConfigurationProperties({CasConfigurationProperties.class, UvicConfigurationProperties.class})
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.Palantir)
@Configuration(value = "CasPalantirWebMvcConfiguration", proxyBeanMethods = false)
@Slf4j
class CasPalantirWebMvcConfiguration {
    @Bean
    @ConditionalOnMissingBean(name = "palantirDashboardController")
    public DashboardController palantirDashboardController(
            final ConfigurableApplicationContext applicationContext,
            final EndpointLinksResolver endpointLinksResolver,
            final WebEndpointProperties webEndpointProperties,
            final CasConfigurationProperties casProperties) {
        return new DashboardController(casProperties, endpointLinksResolver, webEndpointProperties, applicationContext);
    }

    @Bean
    @ConditionalOnMissingBean(name = "palantirWebMvcConfigurer")
    public WebMvcConfigurer palantirWebMvcConfigurer(final CasConfigurationProperties casProperties) {
        return new WebMvcConfigurer() {
            @Override
            public void addViewControllers(@Nonnull final ViewControllerRegistry registry) {
                registry.addViewController(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
                        .setViewName(CasWebflowConstants.VIEW_ID_ENDPOINT_ADMIN_LOGIN_VIEW);
            }
        };
    }

    @Bean
    @ConditionalOnMissingBean(name = "palantirEndpointWebSecurityConfigurer")
    public CasWebSecurityConfigurer<HttpSecurity> palantirEndpointWebSecurityConfigurer(final ConfigurableApplicationContext applicationContext, final CasConfigurationProperties casProperties) {
        return new CasWebSecurityConfigurer<>() {
            @Override
            public CasWebSecurityConfigurer<HttpSecurity> finish(final HttpSecurity http) throws Exception {
                val successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
                successHandler.setTargetUrlParameter("redirectTo");
                successHandler.setDefaultTargetUrl(PalantirConstants.URL_PATH_PALANTIR);
                http.authorizeHttpRequests(customizer -> customizer
                                .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PalantirConstants.URL_PATH_PALANTIR + "/**")).authenticated()
                        )
                        .formLogin(customizer -> customizer.loginPage(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
                                .permitAll().successHandler(successHandler));
                val ldap = casProperties.getMonitor().getEndpoints().getLdap();
                if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
                    LOGGER.trace("palantirEndpointCasSecurityConfigurer: Palantir should use ldap");
                    try {
                        return applicationContext.getBean("ldapHttpWebSecurityConfigurer", CasWebSecurityConfigurer.class)
                                .configure(http);
                    } catch (org.springframework.beans.BeansException e) {
                        // assume ldap login turned off
                        LOGGER.debug("BeansException");
                    }
                } else {
                    LOGGER.trace("palantirEndpointCasSecurityConfigurer: Palantir use default authn");
                }
                return this;
            }
        };
    }
}
 
monitor:
 endpoints:
      ldap:
        base-dn: ou=
        bind-credential: ${authn.ldap.bind-credential}
        bind-dn: ${authn.ldap.bind-dn}
        ldap-url: ${ldap-url}
        search-filter: 
        ldap-authz:
          group-attribute: notused
          role-attribute: 
          role-prefix: 
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>
Sent: March 3, 2026 10:08

To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] Palantir (management UI successor) Auth Island?
--
Reply all
Reply to author
Forward
0 new messages