Hi,
I am in the process of upgrading CAS from 5.2.2 to 5.3.0-RC2.
CAS dashboard was working fine with 5.2.2 but when I switched to 5.3.0-RC2. It always returns forbidden.
Not sure what I am missing here. Can anyone help please?
CAS properties:
cas.adminPagesSecurity.ip=127.0.0.1
cas.adminPagesSecurity.alternateIpHeaderName=X-Forwarded-For
cas.adminPagesSecurity.loginUrl=https://localhost:8443/cas/login
cas.adminPagesSecurity.service=https://localhost:8443/cas/status/dashboard
cas.adminPagesSecurity.users=file:/opt/test/cas/config/adminusers.properties
cas.adminPagesSecurity.adminRoles=ROLE_ADMIN
security.basic.authorizeMode=role
security.basic.enabled=true
security.basic.path=/cas/status/**
security.basic.realm=CAS
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
cas.rest.attributeName=sAMAccountName
cas.rest.attributeValue=sAMAccountName
Registered a service:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://localhost:8443/cas/status/dashboard",
"name" : "CAS Admin Dashboard",
"id" : 10000011,
"theme":"iamadmin",
"description" : "CAS dashboard and administrative endpoints",
"evaluationOrder" : 5000
}
Referred:
https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
https://apereo.github.io/cas/development/installation/Configuration-Properties.html
Debug logs:
DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <=== SECURITY ===>
2018-05-11 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <url: https://localhost:8443/cas/status/dashboard>
2018-05-25 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <matchers: null>
2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <clients: CasClient>
2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <currentClients: [#DirectCasClient# | configuration: #CasConfiguration# | loginUrl: https://localhost:8443/cas/login | prefixUrl: https://localhost:8443/cas/ | restUrl: https://localhost:8443/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #DefaultCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@6577f727 | |]>
2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <loadProfilesFromSession: true>
2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <profiles: [#CasProfile# | id: testuser | attributes: {isFromNewLogin=true, mail=test...@test.com, bypassMultifactorAuthentication=true, authenticationDate=2018-05-25T07:54:48.391-04:00[America/New_York], sAMAccountName=testuser, accountExpires=9223372036854775807, givenName=testuser, successfulAuthenticationHandlers=LdapAuthenticationHandler, cn=testuser, credentialType=RememberMeUsernamePasswordCredential, msDS-UserPasswordExpiryTimeComputed=9223372036854775807, bypassedMultifactorAuthenticationProviderId=mfa-duo, authenticationMethod=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=testuser, lockoutTime=0, username=testuser, pwdLastSet=131578106790314866, badPwdCount=0} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]>
2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.CacheControlHeader@6be8c6e5 -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XContentTypeOptionsHeader@3a99578a -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.StrictTransportSecurityHeader@b49fcda -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XFrameOptionsHeader@7b1cdf3e -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorizatio
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XSSProtectionHeader@31458155 -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: #CsrfTokenGeneratorAuthorizer# | csrfTokenGenerator: org.pac4j.core.authorization.authorizer.csrf.DefaultCsrfTokenGenerator@10dddcf8 | domain: null | path: / | httpOnly: null | secure: null | -> true>
2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer@d0fa89f -> false>
2018-05-25 07:54:57,201 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <forbidden>
RequireAnyRoleAuthorizer always returns false
Thanks
Naresh