CAS 5.3.0-RC4 not validating authorized users to display admin dashboard

212 views

Skip to first unread message

Naresh kumar kankati

unread,

Jun 6, 2018, 7:17:12 AM6/6/18

to CAS Community

Hi,

I have upgraded CAS from 5.2.2 to 5.3.0-RC4.

CAS dashboard was working fine with 5.2.2 and displying admin dashboard only to authorized user present in adminusers.properties. But when I switched to 5.3.0-RC4. org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer was returning forbidden.

Root cause:

Users are authenticated against LDAP. Roles are not maintained in LDAP.

I am trying to access CAS dashboard page. org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer looking whether role

is present part of CAS profile after LDAP authentication and our LDAP response does not contain any role. Hence RequireAnyRoleAuthorizer is returning false.

solution:

commented #cas.adminPagesSecurity.adminRoles=ROLE_ADMIN property.

Issue:

Now CAS dashboard displays, however it is accessible to all authenticated users and not referring adminusers.properties where authorized users are listed.

if I uncomment cas.adminPagesSecurity.adminRoles=ROLE_ADMIN property, CAS admin dashboard is not accessible.

Can someone help, how can we configure CAS to check adminusers.properties for authorized users and then present admin dashboard.

CAS properties:

cas.adminPagesSecurity.ip=127.0.0.1

cas.adminPagesSecurity.alternateIpHeaderName=X-Forwarded-For

cas.adminPagesSecurity.loginUrl=https://localhost:8443/cas/login

cas.adminPagesSecurity.service=https://localhost:8443/cas/status/dashboard

cas.adminPagesSecurity.users=file:/opt/test/cas/config/adminusers.properties

cas.adminPagesSecurity.adminRoles=ROLE_ADMIN

security.basic.authorizeMode=role

security.basic.enabled=true

security.basic.path=/cas/status/**

security.basic.realm=CAS

cas.adminPagesSecurity.actuatorEndpointsEnabled=true

cas.rest.attributeName=sAMAccountName

cas.rest.attributeValue=sAMAccountName

Registered a service:

{

"@class" : "org.apereo.cas.services.RegexRegisteredService",

"serviceId" : "^https://localhost:8443/cas/status/dashboard",

"name" : "CAS Admin Dashboard",

"id" : 10000011,

"theme":"iamadmin",

"description" : "CAS dashboard and administrative endpoints",

"evaluationOrder" : 5000

}

Referred:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html

https://apereo.github.io/cas/development/installation/Configuration-Properties.html

Debug logs:

DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <=== SECURITY ===>

2018-05-11 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <url: https://localhost:8443/cas/status/dashboard>

2018-06-06 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <matchers: null>

2018-06-06 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <clients: CasClient>

2018-06-06 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <loadProfilesFromSession: true>

2018-06-06 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <profiles: [#CasProfile# | id: testuser | attributes: {isFromNewLogin=true, mail=test...@test.com, bypassMultifactorAuthentication=true, authenticationDate=2018-05-25T07:54:48.391-04:00[America/New_York], sAMAccountName=testuser, accountExpires=9223372036854775807, givenName=testuser, successfulAuthenticationHandlers=LdapAuthenticationHandler, cn=testuser, credentialType=RememberMeUsernamePasswordCredential, msDS-UserPasswordExpiryTimeComputed=9223372036854775807, bypassedMultifactorAuthenticationProviderId=mfa-duo, authenticationMethod=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=testuser, lockoutTime=0, username=testuser, pwdLastSet=131578106790314866, badPwdCount=0} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]>

2018-06-06 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.CacheControlHeader@6be8c6e5 -> true>

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XContentTypeOptionsHeader@3a99578a -> true>

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XFrameOptionsHeader@7b1cdf3e -> true>

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorizatio

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XSSProtectionHeader@31458155 -> true>

2018-06-06 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: #CsrfTokenGeneratorAuthorizer# | csrfTokenGenerator: org.pac4j.core.authorization.authorizer.csrf.DefaultCsrfTokenGenerator@10dddcf8 | domain: null | path: / | httpOnly: null | secure: null | -> true>

2018-06-06 07:54:57,201 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <forbidden>

RequireAnyRoleAuthorizer always returns false.

Thanks

Naresh

Naresh kumar kankati

unread,

Jun 11, 2018, 8:01:25 AM6/11/18

to CAS Community

Finally Identified the issue. Id is coming in lowercase and with same case CAS is trying to find the user in adminusers.properties.

Hence validation fails and unauthorized screen. Now I made username in lowercase in adminusers.properties. It is working now.

[#CasProfile# | id: testuser

Thanks

Naresh

Reply all

Reply to author

Forward

0 new messages