requiredIpAddresses specification?

62 views
Skip to first unread message

Baron Fujimoto

unread,
Feb 17, 2023, 11:15:25 AM2/17/23
to CAS Community
I find the CAS documentation increasingly difficult to use. It often seems impossible to find something you're looking for unless you already know where to look.

For example, I'm trying to find out how I can specify the value for a requiredIpAddresses property. E.g. "cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses".

I know it can be a list, and each address can be specified with a regex, e.g. "10.10.10.[123]", but can it take a range or CIDR address? Specifying something like 10.10.10.64/26 gets kind of unwieldy and not as understandable when trying to do it with a traditional regex.

Generally it's been super frustrating trying to find anything for cas.properties. The search function seems particularly useless unless there's some secret to it I'm missing.
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

David Malia

unread,
Feb 22, 2023, 9:11:31 AM2/22/23
to cas-...@apereo.org
A CIDR range like 10.10.10.64/26 is acceptable in the list.   I got that answer by looking at the source.    I remember reading there is a way to have CAS Initilizer to list out the properties which I think listed out any documentation on the properties. I could be remembering wrong, and I don't remember the command, so maybe someone who knows more than me can chime in.  I don't think that property is listed in the current website documentation, and I am happy to be wrong about that as well.  This is an open source project, and I have some extra time today, I can attempt to take a stab at it.  I'm sure it was an oversight when they updated the layout of the documentation.   I remember struggling with this with a recent upgrade we did as well.  I'll probably get some of it wrong, but the maintainers are pretty good with their responses, and will correct my wrongness in the pull request with helpful suggestions.

David

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2UdLk-NCGwE7r6NjMXNeLXyV-PvBEsU%3DG%3Dm6qdC%2Bps1Q%40mail.gmail.com.

Dmitriy Kopylenko

unread,
Feb 22, 2023, 10:00:24 AM2/22/23
to cas-...@apereo.org
Hello.

There is a useful Gradle task available which would generate the properties file containing ALL CAS’ properties along with documentation comments for each. Then one could use search in that file to see what’s available. To run it, simply execute ./gradlew exportConfigMetadata from the root of your overlay and it will generate file named config-metadata.properties for your reference.

And then for example for the property in question it contains:

# Type: java.util.List<String>
# Module: cas-server-support-reports
# Owner: org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties
#
# Required ip addresses.
#
# cas.monitor.endpoints.endpoint.[key].required-ip-addresses:

With owner configuration class documented (org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties), one could see the source of it and in particular the member field in question:

   /**
     * Required IP addresses. CIDR ranges are accepted.
     */
    @RegularExpressionCapable
    private List<String> requiredIpAddresses = new ArrayList<>(0);

where from the Javadoc comment it’s now clear that CIDR ranges are accepted in its values.

HTH,
D.

Baron Fujimoto

unread,
Feb 23, 2023, 12:56:38 AM2/23/23
to cas-...@apereo.org
Thanks, Dima. That  `./gradlew exportConfigMetadata` task will be very handy going forward.

My apologies for the probably dumb question, but where exactly does one find those javadocs? I tried fumbling around what seemed like likely places for the version I'm working with (6.6.5), such as:

But I don't see the comment you provided as an example.



To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKjCmQGfajZarWtkL3GDzyigZV2OXNGWCy1Wg%2BsVS2HUcg%40mail.gmail.com.

Dmitriy Kopylenko

unread,
Feb 23, 2023, 7:48:15 AM2/23/23
to cas-...@apereo.org
Hi Baron. 

Ok, you are right, that comment is not available in the version that you are dealing with. I was looking at the master branch, so it’s “hit or miss” :)

D. 

Baron Fujimoto

unread,
Feb 23, 2023, 10:11:08 AM2/23/23
to cas-...@apereo.org

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKi85eKC9ohrGFPhq678xN%3Dq4bUvKmwnseO52BvjVZ9PZg%40mail.gmail.com.

Dmitriy Kopylenko

unread,
Feb 23, 2023, 10:41:51 AM2/23/23
to cas-...@apereo.org

Baron Fujimoto

unread,
Feb 23, 2023, 12:16:28 PM2/23/23
to cas-...@apereo.org
Ahh, there it is. Ok, thanks! I guess for now this is generally a pretty indirect way to find the information (and at least for me, prone to error), and as you noted can be hit or miss. :/

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKiYVkb7wnkBmUti-1n%3DGE9QNFiMXzOY-SFcre3DNpB%2B7A%40mail.gmail.com.
Message has been deleted

Baron Fujimoto

unread,
Mar 8, 2023, 3:39:47 AM3/8/23
to CAS Community
Actually, I've belatedly discovered I'm also seeing warnings logged about being unable to parse regular expressions for IP addresses in 6.6.5, I'm setting something like the following:

cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1, 10.17.133.[234], ...

But the following is logged:

WARN [org.apereo.cas.util.function.FunctionUtils] - <Failed to parse address10.17.133.[234]
        IpAddressMatcher.java:parseAddress:96
        IpAddressMatcher.java:<init>:58
        CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297

How should IP addresses using regular expressions in the list be defined? I expected "10.17.133.[234]" to represent "10.17.133.2, 10.17.133.3, 10.17.133.4"

On Thu, Feb 23, 2023 at 8:44 PM Arkady Keppert <vtsu...@gmail.com> wrote:
One i leave only one ip addres everything is working find. I did try before with comma and the result is the same but comma it wont let me in even when i provide my ip addres. 

2023-02-24 07:31:45,593 WARN [org.apereo.cas.util.function.FunctionUtils] - <Failed to parse address127.0.0.1,10.xx.xx.*
        IpAddressMatcher.java:parseAddress:96
        IpAddressMatcher.java:<init>:58
        CasWebSecurityConfigurerAdapter.java:lambda$configureEndpointAccessByIpAddress$10:297
>
2023-02-24 07:31:45,593 WARN [org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter] - <Provided regular expression or IP/netmask [[127.0.0.1,10.xx.xx.*]] does not match [10.xx.xx.7]>

Everything is working find on version 6.5.9 with the same setting and ip separated with | like  127.0.0.1|10.xx.xx.*

King, Robert

unread,
Mar 8, 2023, 8:25:52 AM3/8/23
to cas-...@apereo.org

Does it take CIDR?

 

10.17.133.2/31,10.17.133.4/32

 

 

Baron Fujimoto

unread,
Mar 8, 2023, 1:12:26 PM3/8/23
to cas-...@apereo.org
It does take CIDR, but sometimes for small address ranges, a regex is more concise and readable in the context than a series of appropriate CIDRs (and sometimes vice versa).

However, bizarrely, it doesn't log any warnings for this variation, which makes no sense to me in terms of consistency.

127.0.0.1, 10.17.133.2/31, 10.17.133.4, 10.17.133.2[56]

Reply all
Reply to author
Forward
0 new messages