Palantir (management UI successor) Auth Island?

[Drew Northup]

Am I understanding from the documentation correctly that Palantir is an Authentication Island? If so I'm going to need to get our CISO to sign off on the Risk Acceptance for that. (We do not permit password sharing for anything that may require auditing, such as major configuration changes.)

--

---------------------------+--------------------------------
Drew Northup               | 
University of Maine System |          drew.n...@Maine.edu
Computing Center           |
Orono, ME 04469            |

[AJ]

It uses Spring authentication, so yes. 

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>
Sent: Tuesday, March 3, 2026 1:08 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] Palantir (management UI successor) Auth Island?

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com.

[Ray Bon]

I modified our install to look in ldap for authn 

Have not had the time to put in a pull request. But the authn piece really should support any backend the main cas authn supports.

Ray

CasPalantirWebMvcConfiguration.java

package org.apereo.cas.config;

import ca.uvic.idm.cas.configuration.UvicConfigurationProperties;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.palantir.PalantirConstants;
import org.apereo.cas.palantir.controller.DashboardController;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apereo.cas.web.flow.CasWebflowConstants;
import lombok.val;
import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import jakarta.annotation.Nonnull;

/**
 * This is {@link CasPalantirWebMvcConfiguration}.
 *
 * @author Misagh Moayyed
 * @since 7.1.0
 */
@EnableConfigurationProperties({CasConfigurationProperties.class, UvicConfigurationProperties.class})
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.Palantir)
@Configuration(value = "CasPalantirWebMvcConfiguration", proxyBeanMethods = false)
@Slf4j
class CasPalantirWebMvcConfiguration {
    @Bean
    @ConditionalOnMissingBean(name = "palantirDashboardController")
    public DashboardController palantirDashboardController(
            final ConfigurableApplicationContext applicationContext,
            final EndpointLinksResolver endpointLinksResolver,
            final WebEndpointProperties webEndpointProperties,
            final CasConfigurationProperties casProperties) {
        return new DashboardController(casProperties, endpointLinksResolver, webEndpointProperties, applicationContext);
    }

    @Bean
    @ConditionalOnMissingBean(name = "palantirWebMvcConfigurer")
    public WebMvcConfigurer palantirWebMvcConfigurer(final CasConfigurationProperties casProperties) {
        return new WebMvcConfigurer() {
            @Override
            public void addViewControllers(@Nonnull final ViewControllerRegistry registry) {
                registry.addViewController(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
                        .setViewName(CasWebflowConstants.VIEW_ID_ENDPOINT_ADMIN_LOGIN_VIEW);
            }
        };
    }

    @Bean
    @ConditionalOnMissingBean(name = "palantirEndpointWebSecurityConfigurer")
    public CasWebSecurityConfigurer<HttpSecurity> palantirEndpointWebSecurityConfigurer(final ConfigurableApplicationContext applicationContext, final CasConfigurationProperties casProperties) {
        return new CasWebSecurityConfigurer<>() {
            @Override
            public CasWebSecurityConfigurer<HttpSecurity> finish(final HttpSecurity http) throws Exception {
                val successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
                successHandler.setTargetUrlParameter("redirectTo");
                successHandler.setDefaultTargetUrl(PalantirConstants.URL_PATH_PALANTIR);
                http.authorizeHttpRequests(customizer -> customizer
                                .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PalantirConstants.URL_PATH_PALANTIR + "/**")).authenticated()
                        )
                        .formLogin(customizer -> customizer.loginPage(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
                                .permitAll().successHandler(successHandler));
                val ldap = casProperties.getMonitor().getEndpoints().getLdap();
                if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
                    LOGGER.trace("palantirEndpointCasSecurityConfigurer: Palantir should use ldap");
                    try {
                        return applicationContext.getBean("ldapHttpWebSecurityConfigurer", CasWebSecurityConfigurer.class)
                                .configure(http);
                    } catch (org.springframework.beans.BeansException e) {
                        // assume ldap login turned off
                        LOGGER.debug("BeansException");
                    }
                } else {
                    LOGGER.trace("palantirEndpointCasSecurityConfigurer: Palantir use default authn");
                }
                return this;
            }
        };
    }
}

 

monitor:

 endpoints:

      ldap:

        base-dn: ou=

        bind-credential: ${authn.ldap.bind-credential}

        bind-dn: ${authn.ldap.bind-dn}

        ldap-url: ${ldap-url}

        search-filter: 

        ldap-authz:

          group-attribute: notused

          role-attribute: 

          role-prefix: 

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Drew Northup <drew.n...@maine.edu>

Sent: March 3, 2026 10:08

To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] Palantir (management UI successor) Auth Island?

--

[Drew Northup]

Thanks Ray,

I won't really be able to make direct use of that, but you and AJ have helped me wrap my head around what is going on.
If I'm understanding correctly, the management UI/UX is no longer a separate application, and therefore it can no longer use CAS to authenticate, which means that we'd be unable to use centrally managed groups or roles and would not be able to make use of any MFA features...all of which is very unfortunate.

Given what I've discovered about JPA service registry configuration and state rot (as there is absolutely no maintained upgrade path anymore) over the last few days this basically means to me that it is likely not worth my time to bother getting this "Palantir"  thing working, and I should instead focus my efforts into converting the service registry entries over to the HJSON format CAS is using (largely by hand, as our CAS is so ancient the JSON export is apparently completely missing).

Thanks again, on to the next madness.

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/Y3mRpts04DY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT4P288MB0086165A668B77AD7353433CCE7CA%40YT4P288MB0086.CANP288.PROD.OUTLOOK.COM.

[Erik Mallory]

I've thought about this problem because I don't like it either. There is minimal value in anything other than the ability to create/edit/delete services, you could build a cas war with palintr put it on a management vm behind apache and use Mellon or php-CAS or whatever to protect it. Then use the sync scripts and cron to move the services to your public facing cas servers.

I'm trying real hard here not to give my editorial on this "advancement" of cas management or anything named "Palintr" (Am I Sauron? no.. then it follows that I must be Saruman or Denethor naming things after a fantasy backdoor gives me the creeps) Guess I failed not giving my editorial  

--

- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com.

--

Erik Mallory

------------------------
"A happy man's paradise is his own good nature." - Edward Abbey