Securing Endpoints With Spring Security
151 views
Skip to first unread message
Doug C
Sep 11, 2017, 1:44:30 PM9/11/17
to CAS Community
I have been trying to try this option for securing endpoints with spring security mentioned at the following links:
and
I have added the dependency to my pom.xml and I have tried adding the following to my cas.properties:
endpoints.enabled=true
endpoints.sensitive=true
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=true
endpoints.sensitive=true
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=true
security.user.name=master
security.user.password=
security.user.role=ACTUATOR
security.basic.authorizeMode=role
security.basic.enabled=true
security.basic.path=/cas/status/**
security.basic.realm=CAS
security.filterOrder=0
security.requireSsl=false
security.sessions=if_required
security.user.password=
security.user.role=ACTUATOR
security.basic.authorizeMode=role
security.basic.enabled=true
security.basic.path=/cas/status/**
security.basic.realm=CAS
security.filterOrder=0
security.requireSsl=false
security.sessions=if_required
But when I navigate to http://localhost:8080/cas/status I get the dreaded "You did not say the magic word" page. Also, a password is supposed to (accordingly to the links above) be output to the logs but it isn't there.
I was expecting to have the web browser prompt me for a username/password and be able to put in the master for the username and a password from the logs but I don't get a password prompt at all.
Note that I also tried just setting a password using security.user.password but that seems to have no effect either.
Am I approach this incorrectly? What am I missing?
Thanks!
Doug C
Sep 14, 2017, 12:46:49 PM9/14/17
to CAS Community
I got it working and I am not really sure why it wasn't working. This is what I finally ended up doing.
Added the following dependency to pom.xml (I thought I had done this but maybe I hadn't):
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp-config-security</artifactId>
<version>${cas.version}</version>
</dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp-config-security</artifactId>
<version>${cas.version}</version>
</dependency>
And the settings in my cas.properties that made Basic Authentication work were:
# allow access from any IP
cas.adminPagesSecurity.ip=^([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])\\.([01]?\\d\\d?|2[0-4]\\d|25[0-5])$
security.basic.enabled=true
security.basic.realm=CAS
security.user.name=master
security.basic.enabled=true
security.basic.realm=CAS
security.user.name=master
# if below is set to blank or is just commented out then a password like the one shown is generated and displayed in the logs
security.user.password=6b934cf6-8162-4dba-878b-ed10eb3ac105
security.user.password=6b934cf6-8162-4dba-878b-ed10eb3ac105
# enable CAS endpoints to be authenticated
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=true
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=true
# enable Spring endpoints to be authenticated as well
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
endpoints.enabled=true
endpoints.sensitive=true
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
endpoints.enabled=true
endpoints.sensitive=true
One thing to note that I didn't quite understand previously from the documentation is that when endpoints are marked as sensitive it basically seems to mean that you need to authenticate using one of the Spring security mechanisms to gain access. That is why if you are using CAS to authenticate you set sensitive to false.
Doug
Reply all
Reply to author
Forward
0 new messages