6.0.x Actuator endpoint security for cas config server

[Juna Grosse Lengerich]

Hi,

we're having a problem with the actuator configuration for our cas config server.

Since Spring Boot 2 the actuator endpoint security can't be configured by properties anymore.
But the cas server properties that allow security configuration seem to be missing for both the config and admin server.

The spring configuration adapters are defined in this class:
https://github.com/apereo/cas/blob/6.0.x/webapp/cas-server-webapp-config/src/main/java/org/apereo/cas/web/security/CasWebSecurityConfigurerAdapter.java

But the cas server webapp config dependency has conflicts with bean definitions, so it can't just be included.

Has anyone found a solution to this problem? We need unrestricted access to the health endpoint for a health check

Any help would be really appreciated

[Robert Bond]

Here is a blog post by Misagh Moayyed about it: https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/

[Juna Grosse Lengerich]

Thank you Robert.

But that works because of the configuration adapter class that is included in the cas server webapp, but not in the cas config server or cas bootadmin server webapp.

Which is our problem.

[Misagh Moayyed]

This doesn't exist, beyond what spring security natively allows with Boot v2 via properties, etc. The project focuses on the CAS server development with limited attention to peripheral projects as nice-to-haves. If you need to secure the config server in fancier ways, you may talk to the Spring Cloud project, ask for the feature and/or contribute or take inspiration from what the CAS server does and emulate the same behavior in the config server with code.

[Juna Grosse Lengerich]

Thank you for the answer.