Help CAS Management Error (CAS Server returned 502 status code from endpoint https://cas.example.com/cas/status/discovery. Using default FormData values)

[Fahmi L. Ramdhani]

Hello,

Anyone, please help me to solve the Attribute problem in CAS Management. I want the dropdown to list the available attributes (dynamically) based on the attribute repository (JDBC), the dropdown in CAS Management service settings.

I added dependency to pom.xml (cas-server)

<dependency>
 <groupId>org.apereo.cas</groupId>
 <artifactId>cas-server-support-discovery-profile</artifactId>
 <version>${cas.version}</version>
</dependency>

I access https://cas.example.com/cas/status/discovery successfully displaying a list of attributes that are ready to be released.

{
  "@class": "java.util.LinkedHashMap",
  "profile": {
    "@class": "org.apereo.cas.discovery.CasServerProfile",
    "registeredServiceTypes": {
      "@class": "java.util.HashMap",
      "CAS Client": "org.apereo.cas.services.RegexRegisteredService"
    },
    "registeredServiceTypesSupported": {
      "@class": "java.util.HashMap",
      "SAML2 Service Provider": "org.apereo.cas.support.saml.services.SamlRegisteredService",
      "WS Federation Relying Party": "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",
      "OpenID Connect Relying Party": "org.apereo.cas.services.OidcRegisteredService",
      "OAuth2 Client": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
      "CAS Client": "org.apereo.cas.services.RegexRegisteredService"
    },
    "multifactorAuthenticationProviderTypesSupported": {
      "@class": "java.util.HashMap",
      "mfa-gauth": "Google Authenticator",
      "mfa-swivel": "Swivel Secure",
      "mfa-authy": "Authy",
      "mfa-radius": "RADIUS (RSA,WiKID)",
      "mfa-u2f": "FIDO U2F",
      "mfa-duo": "Duo Security",
      "mfa-azure": "Microsoft Azure"
    },
    "delegatedClientTypesSupported": [
      "java.util.HashSet",
      [
        "OAuth20Client",
        "OAuth10Client",
        "TwitterClient",
        "FoursquareClient",
        "QQClient",
        "OrcidClient",
        "FacebookClient",
        "OkClient",
        "FormClient",
        "CasProxyReceptor",
        "GitHubClient",
        "BitbucketClient",
        "KeycloakOidcClient",
        "WordPressClient",
        "WindowsLiveClient",
        "OidcClient",
        "VkClient",
        "LinkedIn2Client",
        "YahooClient",
        "WechatClient",
        "Google2Client",
        "StravaClient",
        "GenericOAuth20Client",
        "AzureAdClient",
        "GoogleOidcClient",
        "CasOAuthWrapperClient",
        "WeiboClient",
        "PayPalClient",
        "DropBoxClient",
        "SAML2Client",
        "IndirectBasicAuthClient",
        "CasClient"
      ]
    ],
    "availableAttributes": [
      "java.util.LinkedHashSet",
      [
        "uid",
        "username",
        "name",
        "phone"
      ]
    ]
  }
}

But the data is not loaded in CAS Management. I see at cas-management.log it appears like this:

019-04-07 00:32:01,567 INFO [org.apereo.cas.mgmt.web.CasManagementWebApplicationServletInitializer] - The following profiles are active: standalone
2019-04-07 00:32:07,489 DEBUG [org.apereo.cas.config.CasCoreUtilSerializationConfiguration] - Configuring component serialization plan [CasCoreUtilSerializationConfiguration]
2019-04-07 00:32:08,247 DEBUG [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - Configuring an authentication strategy based on CAS running at [https://cas.example.com]
2019-04-07 00:32:08,263 DEBUG [org.apereo.cas.mgmt.config.CasManagementAuthenticationConfiguration] - Skipping IP address authentication strategy configuration; no pattern is defined
2019-04-07 00:33:14,297 INFO [org.apereo.cas.mgmt.services.web.factory.FormDataFactory] - CAS Server returned 502 status code from endpoint https://cas.example.com/cas/status/discovery. Using default FormData values.
2019-04-07 00:33:17,369 DEBUG [org.apereo.cas.config.CasCoreServicesConfiguration] - Configuring service registry [JpaServiceRegistryConfiguration]
2019-04-07 00:33:17,402 DEBUG [org.apereo.cas.services.DefaultServiceRegistryExecutionPlan] - Registering service registry [JpaServiceRegistry] into the execution plan
2019-04-07 00:33:17,362 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Registering service registry [JpaServiceRegistry] into the execution planorg.apereo.cas.services.ChainingServiceRegistry@35554139]
2019-04-07 00:33:17,807 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/app1.example.com(\\z|\/.*)]
2019-04-07 00:33:17,807 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/app2.example.com(\\z|\/.*)]
2019-04-07 00:33:17,807 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/app3.example.com(\\z|\/.*)]
2019-04-07 00:33:17,807 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/app4.example.com(\\z|\/.*)]
2019-04-07 00:33:17,807 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/cas.example.com(|:8443)\/cas-management(|\\z|\/.*)]
2019-04-07 00:33:17,808 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/cas.example.com(|:8443)\/cas\/status(|\\z|\/.*)]
2019-04-07 00:33:17,808 DEBUG [org.apereo.cas.services.AbstractServicesManager] - Adding registered service [^https:\/\/localhost:8443(\\z|\/.*)]
2019-04-07 00:33:17,813 INFO [org.apereo.cas.services.AbstractServicesManager] - Loaded [7] service(s) from [JpaServiceRegistry].
2019-04-07 00:33:17,894 DEBUG [org.apereo.cas.util.io.PathWatcherService] - Created service registry watcher for events of type [ENTRY_CREATE]
2019-04-07 00:33:17,954 INFO [org.apereo.cas.mgmt.DefaultCasManagementEventListener] -
2019-04-07 00:33:17,957 INFO [org.apereo.cas.mgmt.DefaultCasManagementEventListener] -


  ____    _____      _      ____   __   __
 |  _ \  | ____|    / \    |  _ \  \ \ / /
 | |_) | |  _|     / _ \   | | | |  \ V /
 |  _ <  | |___   / ___ \  | |_| |   | |  
 |_| \_\ |_____| /_/   \_\ |____/    |_|  
                                         


2019-04-07 00:33:17,957 INFO [org.apereo.cas.mgmt.DefaultCasManagementEventListener] -

I hope availableAttributes loaded in the CAS Management dropdown (Return Allowed). How to solve this problem?

Thank you

[melody]

the management request discovery url was blocked by cas login page, I was the same problem.




在 2019年4月7日星期日 UTC+8上午1:48:55，Fahmi L. Ramdhani写道：

[Fahmi L. Ramdhani]

I tried accessing the result curl like this:

curl -v https://cas.example.com:8443/cas/status/discovery
*   Trying 2xx.60.112.9...
* Connected to cas.example.com (2xx.60.112.9) port 8443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: cas.example.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=cas.example.com
*        start date: Wed, 03 Apr 2019 09:32:48 GMT
*        expire date: Tue, 02 Jul 2019 09:32:48 GMT
*        issuer: C=US,O=XXXXXXXXXXX,CN=XXXXXXXXXXXXXX
*        compression: NULL
* ALPN, server did not agree to a protocol
> GET /cas/status/discovery HTTP/1.1
> Host: cas.example.com:8443
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 302
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=15768000 ; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Set-Cookie: JSESSIONID=AECBB7BF899FAFB0B707CE228ECC19EC; Path=/cas; Secure; HttpOnly
< Location: https://cas.example.com:8443/cas/login?service=https%3A%2F%2Fcas.example.com%3A8443%2Fcas%2Fstatus%2Fdiscovery
< Transfer-Encoding: chunked
< Date: Tue, 09 Apr 2019 23:34:01 GMT
<
* Connection #0 to host cas.example.com left intact

Can anyone help please?

[Ray Bon]

Fahmi,

It looks like /cas/status/discovery is protected by cas and it redirects to cas/login (status code 302).

Should the discovery page be protected?

Ray

[Fahmi L. Ramdhani]

Please tell me how to unprotect? In cas.properties i have to set

endpoints.status.discovery.enabled = true

..sensitive = false

Sorry for my questions. Thank you Ray.

Sent from my iPhone

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6865637d5002e54d38c2e2e619ff06ec63e45f0a.camel%40uvic.ca.

[Fahmi L. Ramdhani]

i have to configured like:

cas.properties

cas.adminPagesSecurity.ip = .*
cas.adminPagesSecurity.loginUrl = ${cas.server.prefix}/login
cas.adminPagesSecurity.service = ${cas.server.prefix}/status/dashboard
cas.adminPagesSecurity.users = file:/etc/cas/config/admusers.properties
cas.adminPagesSecurity.adminRoles[0] = ROLE_ADMIN
cas.adminPagesSecurity.actuatorEndpointsEnabled=true


cas.monitor.endpoints.enabled = true
cas.monitor.endpoints.sensitive = false
cas.monitor.endpoints.status.enabled = true
cas.monitor.endpoints.status.sensitive = false
cas.monitor.endpoints.discovery.enabled = true
cas.monitor.endpoints.discovery.sensitive = false


endpoints.enabled = true
endpoints.sensitive = true
endpoints.restart.enabled=true
endpoints.shutdown.enabled=true
endpoints.autoconfig.enabled=true
endpoints.beans.enabled=true
endpoints.bus.enabled=true
endpoints.configprops.enabled=true
endpoints.dump.enabled=true
endpoints.env.enabled=true
endpoints.health.enabled=true
endpoints.features.enabled=true
endpoints.info.enabled=true
endpoints.loggers.enabled=true
endpoints.logfile.enabled=true
endpoints.trace.enabled=true
endpoints.docs.enabled=true
endpoints.heapdump.enabled=true

[Ray Bon]

Fahmi,

I have not set up any of the status features for cas, so have no experience here.

Can you access it with a browser (that is, have you verified it is working as expected)?

What is your reason for using curl?

Perhaps there is another alternative that others on the list have tried.

Ray

[Fahmi L. Ramdhani]

Thank you for the quick reply.

First I accessed via the browser https://cas.example.com/cas/status/discovery, then CAS directed to login. After successfully logging in, the results are like this:

{

  "@class": "java.util.LinkedHashMap",

  "profile": {

    "@class": "org.apereo.cas.discovery.CasServerProfile",

    "registeredServiceTypes": {

      "@class": "java.util.HashMap",

      "CAS Client": "org.apereo.cas.services.RegexRegisteredService"

    },

    "registeredServiceTypesSupported": {

      "@class": "java.util.HashMap",

      "SAML2 Service Provider": "org.apereo.cas.support.saml.services.SamlRegisteredService",

      "WS Federation Relying Party": "org.apereo.cas.ws.idp.services.WSFederationRegisteredService",

      "OpenID Connect Relying Party": "org.apereo.cas.services.OidcRegisteredService",

      "OAuth2 Client": "org.apereo.cas.support.oauth.services.OAuthRegisteredService",

      "CAS Client": "org.apereo.cas.services.RegexRegisteredService"

    },

    "multifactorAuthenticationProviderTypesSupported": {

      "@class": "java.util.HashMap",

      "mfa-gauth": "Google Authenticator",

      "mfa-swivel": "Swivel Secure",

      "mfa-authy": "Authy",

      "mfa-radius": "RADIUS (RSA,WiKID)",

      "mfa-u2f": "FIDO U2F",

      "mfa-azure": "Microsoft Azure",

      "mfa-duo": "Duo Security"

    },

    "delegatedClientTypesSupported": [

      "java.util.HashSet",

      [

        "OAuth20Client",

        "OAuth10Client",

        "TwitterClient",

        "FoursquareClient",

        "QQClient",

        "OrcidClient",

        "FacebookClient",

        "OkClient",

        "FormClient",

        "CasProxyReceptor",

        "GitHubClient",

        "KeycloakOidcClient",

        "BitbucketClient",

        "WordPressClient",

        "OidcClient",

        "WindowsLiveClient",

        "VkClient",

        "LinkedIn2Client",

        "YahooClient",

        "WechatClient",

        "Google2Client",

        "StravaClient",

        "GenericOAuth20Client",

        "AzureAdClient",

        "GoogleOidcClient",

        "CasOAuthWrapperClient",

        "PayPalClient",

        "WeiboClient",

        "DropBoxClient",

        "SAML2Client",

        "CasClient",

        "IndirectBasicAuthClient"

      ]

    ],

    "availableAttributes": [

      "java.util.LinkedHashSet",

      [

        "mail",

        "eppn",

        "displayName",

        "givenName",

        "uid"

      ]

    ]

  }

}

You can see the availableAttributes section? I need it to make it easier for CAS administrators to release attributes for each service. But when I access https://cas.example.com/cas-management and try to add services, the "mail", "eppn", "displayName", "givenName", "uid" attributes not show in the dropdown option ( Attribute Release Policy). I hope the dropdown option contains dynamic based on the attributes in JDBC (Multi-Row), but I have not found a solution. How to solve this problem?

Thank you.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[Fahmi L. Ramdhani]

Anyone help please?

[Ray Bon]

Fahmi,

Our management server is too old to have this feature.

Start here, https://apereo.github.io/cas/5.3.x/integration/Attribute-Release.html

You probably have to add properties to management service properties file.

Ray

[Fahmi L. Ramdhani]

CAS Management can't retrieve the list of attributes available on CAS Server?

I have added configuration to management.properties, but it didn't work. CAS Management only contains the default attributes (uid, eppn, givenName).

I have tried adding the STUB configuration, unfortunately it is static.

... attributeRepository.stub.attributes.uid = uid

.........

I hope CAS Management can take available attributes based on the CAS Server configuration.

Can anyone give me a suggestion for what i want?

Sent from my iPhone

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4314fa3d37e510b2956fdda5527281a09aa882d1.camel%40uvic.ca.

[Julien Gribonvald]

Hi,

I have yesterday the same problem on a delegated auth and I needed to watch on cas properties (as it's not listed).

On my case users can come from several auth systems, one is local from my LDAP, but users can use a delegated auth. So in my conf I have the basic auth from my local LDAP defined with cas.authn.ldap[0].xxxx and as example for a delegated auth from a shibboleth IDP I defined cas.authn.pac4j.saml[0].xxxx

But in the case of a delegated auth I need to chain this auth with a local LDAP request to obtain user's attributes and so I need to define such properties: cas.authn.attributeRepository.ldap[0].xxxx

But this doesn't permit to merge users attributes from my local LDAP, and after search I've found this property that permit to share all attributes retrieved : cas.authn.attributeRepository.defaultAttributesToRelease=${cas.authn.ldap[0].principalAttributeList} where cas.authn.ldap[0].principalAttributeList is my default local LDAP auth user attributes list, and so I have the same list.

Hope this will help you !

Now on my case, as I have several delegated system, I'm looking for if it's possible to set something that tell to use one specific attributeRepository associated to a specific delegated auth (due to the LDAP filter won't be the same) instead of chaining all attributeRepository.

Thanks

Julien

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CCD58B73-2087-41E3-BB23-3247EB357DE0%40gmail.com.

--
Julien Gribonvald

[Fahmi L. Ramdhani]

Thanks Julien for your reply.

It looks like it's a static attribute. I once configured:

... principalAttributeList = uid, displayName, phoneNumber, emailAddress

Then I added the homeAddress attribute to database, the homeAddress attribute is not registering (configured) to principalAttributeList, so that the option in the CAS Management dropdown (Return Allowed Attributes) does not shown.

Note: I use JDBC in Multi-Row mode. So the CAS administrator can add attributes to the database.

After you configure it, can you choose the attribute list in CAS Management (the Attribute Release Policy, Return Allowed tab)?

How do you make principalAttributeList based on JDBC Multi-Row?

Thanks

Sent from my iPhone

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/146520a1-9471-324c-0bc3-c55483bf7a4f%40recia.fr.