Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hello Ray,
Thank you for you answer, I'm sorry for the delay in replying.
>> >> Luis
>> >> if I try to call the actuator like this (don't know if it's the right way),
>> >>
>> >>
>> >> I get the following information on CAS server log:
>> >>
>> >> 2023-04-21 15:11:09,619 [https-jsse-nio-8443-exec-2] ERROR: Service unauthorized
>> >> RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200
>> >> Optional.java:orElseGet:364
>> >> RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194
>> Ray
>> Put cas management aside while you work with the actuators for cas.
I referenced the use of CAS server actuators because it seems to me that some of CAS management functionalities call CAS server actuators under the hood.
I base this opinion on this information:
>> https://groups.google.com/a/apereo.org/g/cas-user/c/crOUxHaXh_k/m/ZTPDH5kwAAAJ
>>
>> The "dashboard" and "CAS Info" tabs of the https://my-domain/cas-management/dashboard
>> are now populated with data coming from my CAS server /health and /info actuators.
I think, don’t know for sure, that as some CAS management information comes from CAS server actuators, like /health and /info, so does the attribute release information must come from the same source, CAS server actuators.
If my analysis with Chrome DevTools is correct, the following happens when calling, for example:
CAS management => Administration => Resolve Attributes
GET https://localhost:8445/cas-management/api/dashboard/resolve/<username>
This option works fine. I think that under the hood it calls this CAS server actuator,https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution.html#actuator-endpoints
CAS management => Administration => Release Attributes
POST https://localhost:8445/cas-management/api/dashboard/release
This option causes the “403” mentioned error.
POST does exist as an actuator endpoint, as stated here,
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policies.html#actuator-endpoints
but I’m not sure if this functionality should make a POST (POST inside cas management, it’s true, I could not find out what kind of request is made from CAS management to CAS server), I think I should make a GET, does this makes sense?
Is it possible that CAS management should make a GET instead of a POST on this functionality and this is a bug?
>> Ray
>> You can edit the json service definition by hand if needed.
I've been doing that, editting my json files, but right now my goal is to test CAS management, because, as the documentation below states, when I use other backend (not JSON Service Registry), which I plan to do, I will need do use CAS management, so I’m testing all it’s options.
>> CAS Management Web Application / Installing-ServicesMgmt-Webapp.md
>> ...
>> Synchronized Configuration
>> ...
>> Note that for certain type of service registry backends,
>> deploying the management web application is a requirement
>> since it acts as the interface fronting CRUD operations
>> that deal with the storage backend.
>> The absence of the management web application
>> means that you will need to find alternative tooling
>> to manually interact with your registry of choice
>> and the storage backend it employs.
>> Ray
>> You say there is a problem with cas management release attributes
>> but the url provided suggests you are accessing cas.
As I said above, based on info I’ve read on CAS google group, I think, not sure if I’m right, that cas management release attributes info is obtained from CAS server by calling an actuator, probably one of these:
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policies.html#actuator-endpoints
>> Ray
>> This is my local endpoint config:
##### --- management endpoints
# cas.monitor.endpoints.ldap.ldap-authz.role-attribute = description
management.endpoints.enabled-by-default=true
Luis: I also have this setting on cas.properties
management.endpoint.metrics.enabled=true
management.endpoint.env.enabled=true
management.endpoint.configurationMetadata.enabled=true
# # curl -X POST -k https://local.uvic.ca/cas/actuator/refresh was accepted but browser refresh -> 500
# # management.endpoint.refresh.enabled=true
# # not sure how to call
# # management.endpoint.autoconfig.enabled=true
# default:
# health,info
# cas built in (or part of already configured features), enabled with '*' (some may not work):
# samlValidate,yubikeyAccountRepository,loggingConfig,beans,caches,conditions,configprops,env,loggers,heapdump,threaddump,metrics,scheduledtasks,mappings,refresh,features
# cas-server-support-reports, status is auto enabled, provides:
# status,springWebflow,auditLog,registeredServices.exportRegisteredServices,ssoSession,statistics,releaseAttributes
# cas-server-core-configuration-metadata-repository configurationMetadata is auto enabled, provides:
# configurationMetadata
# cas-server-support-discovery-profile provides:
# discoveryProfile
management.endpoints.web.exposure.include=*
Luis: I also have this setting on cas.properties
# https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/
# must specify auto enabled / default endpoints if using exposure.include
# management.endpoints.web.exposure.include=health,info,configurationMetadata,discoveryProfile,auditLog
# # cas.monitor.endpoints.endpoint.defaults.access[0]=IP_ADDRESS
# # cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses[0]=\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}
# # #cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses[0]=127\\.0\\.0\\.1
# # shows free memory
# management.endpoint.health.show-details=always
# # shows health items below
# management.health.defaults.enabled=true
# # on by default
# # management.health.memoryHealthIndicator.enabled=true
# # management.health.systemHealthIndicator.enabled=true
# # management.health.sessionHealthIndicator.enabled=true
# # management.health.hazelcastHealthIndicator.enabled=true
# # management.health.pooledLdapConnectionFactoryHealthIndicator.enabled=true
# # management.health.samlRegisteredServiceMetadataHealthIndicator.enabled=true
management.endpoint.ticketExpirationPolicies.enabled=true
Luis: I don’t have this config, think I don’t need it for my CAS management tests
management.endpoints.web.exposure.include=*
Luis: I also have this setting on cas.properties, it’s duplicated on this config
# # can not be accessed once authenticated. I know, weird, right?
cas.monitor.endpoints.endpoint.health.access=ANONYMOUS
# # cas.monitor.endpoints.endpoint.info.access=ANONYMOUS
# spring.security.user.name=casuser
spring.security.user.password=Some secret, spaces are cool
# cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
Luis: for now I have all actuator access ANONYMOUS, for testing purposes
Luis: cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
Luis:What makes me think that my "CAS management => Administration => Release Attributes" “403” problem might be a bug is:
-all other CAS management features that I’ve tested work fine (eg Manage Services, Resolve Attributes)
-couldn’t find anybody on this group stating that it can use this feature correctly on cas management 6.6.2
Does my above reasoning make sense?
Hello Ray,
Thank you for you answer, I'm sorry for the delay in replying.
>> >> Luis
>> >> if I try to call the actuator like this (don't know if it's the right way),
>> >>
>> >>
>> >> I get the following information on CAS server log:
>> >>
>> >> 2023-04-21 15:11:09,619 [https-jsse-nio-8443-exec-2] ERROR: Service unauthorized
>> >> RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200
>> >> Optional.java:orElseGet:364
>> >> RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194
>> Ray
>> Put cas management aside while you work with the actuators for cas.
I referenced the use of CAS server actuators because it seems to me that some of CAS management functionalities call CAS server actuators under the hood.
I base this opinion on this information:
>> https://groups.google.com/a/apereo.org/g/cas-user/c/crOUxHaXh_k/m/ZTPDH5kwAAAJ
>>
>> The "dashboard" and "CAS Info" tabs of the https://my-domain/cas-management/dashboard
>> are now populated with data coming from my CAS server /health and /info actuators.
I think, don’t know for sure, that as some CAS management information comes from CAS server actuators, like /health and /info, so does the attribute release information must come from the same source, CAS server actuators.
If my analysis with Chrome DevTools is correct, the following happens when calling, for example:
CAS management => Administration => Resolve Attributes
GET https://localhost:8445/cas-management/api/dashboard/resolve/<username>
This option works fine. I think that under the hood it calls this CAS server actuator, https://apereo.github.io/cas/6.6.x/integration/Attribute-Resolution.html#actuator-endpoints
CAS management => Administration => Release Attributes
POST https://localhost:8445/cas-management/api/dashboard/release
This option causes the “403” mentioned error.
POST does exist as an actuator endpoint, as stated here,
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policies.html#actuator-endpoints
but I’m not sure if this functionality should make a POST (POST inside cas management, it’s true, I could not find out what kind of request is made from CAS management to CAS server), I think I should make a GET, does this makes sense?
Is it possible that CAS management should make a GET instead of a POST on this functionality and this is a bug?
>> Ray
>> You can edit the json service definition by hand if needed.
I've been doing that, editting my json files, but right now my goal is to test CAS management, because, as the documentation below states, when I use other backend (not JSON Service Registry), which I plan to do, I will need do use CAS management, so I’m testing all it’s options.
>> CAS Management Web Application / Installing-ServicesMgmt-Webapp.md
>> ...
>> Synchronized Configuration
>> ...
>> Note that for certain type of service registry backends,
>> deploying the management web application is a requirement
>> since it acts as the interface fronting CRUD operations
>> that deal with the storage backend.
>> The absence of the management web application
>> means that you will need to find alternative tooling
>> to manually interact with your registry of choice
>> and the storage backend it employs.
>> Ray
>> You say there is a problem with cas management release attributes
>> but the url provided suggests you are accessing cas.
As I said above, based on info I’ve read on CAS google group, I think, not sure if I’m right, that cas management release attributes info is obtained from CAS server by calling an actuator, probably one of these:
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policies.html#actuator-endpoints
>> Ray
>> This is my local endpoint config:
##### --- management endpoints
# cas.monitor.endpoints.ldap.ldap-authz.role-attribute = description
management.endpoints.enabled-by-default=true
Luis: I also have this setting on cas.properties
management.endpoint.metrics.enabled=true
management.endpoint.env.enabled=true
management.endpoint.configurationMetadata.enabled=true
# # curl -X POST -k https://local.uvic.ca/cas/actuator/refresh was accepted but browser refresh -> 500
# # management.endpoint.refresh.enabled=true
# # not sure how to call
# # management.endpoint.autoconfig.enabled=true
# default:
# health,info
# cas built in (or part of already configured features), enabled with '*' (some may not work):
# samlValidate,yubikeyAccountRepository,loggingConfig,beans,caches,conditions,configprops,env,loggers,heapdump,threaddump,metrics,scheduledtasks,mappings,refresh,features
# cas-server-support-reports, status is auto enabled, provides:
# status,springWebflow,auditLog,registeredServices.exportRegisteredServices,ssoSession,statistics,releaseAttributes
# cas-server-core-configuration-metadata-repository configurationMetadata is auto enabled, provides:
# configurationMetadata
# cas-server-support-discovery-profile provides:
# discoveryProfile
management.endpoints.web.exposure.include=*
Luis: I also have this setting on cas.properties
# https://apereo.github.io/2018/11/06/cas6-admin-endpoints-security/
# must specify auto enabled / default endpoints if using exposure.include
# management.endpoints.web.exposure.include=health,info,configurationMetadata,discoveryProfile,auditLog
# # cas.monitor.endpoints.endpoint.defaults.access[0]=IP_ADDRESS
# # cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses[0]=\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}
# # #cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses[0]=127\\.0\\.0\\.1
# # shows free memory
# management.endpoint.health.show-details=always
# # shows health items below
# management.health.defaults.enabled=true
# # on by default
# # management.health.memoryHealthIndicator.enabled=true
# # management.health.systemHealthIndicator.enabled=true
# # management.health.sessionHealthIndicator.enabled=true
# # management.health.hazelcastHealthIndicator.enabled=true
# # management.health.pooledLdapConnectionFactoryHealthIndicator.enabled=true
# # management.health.samlRegisteredServiceMetadataHealthIndicator.enabled=true
management.endpoint.ticketExpirationPolicies.enabled=true
Luis: I don’t have this config, think I don’t need it for my CAS management tests
management.endpoints.web.exposure.include=*
Luis: I also have this setting on cas.properties, it’s duplicated on this config
# # can not be accessed once authenticated. I know, weird, right?
cas.monitor.endpoints.endpoint.health.access=ANONYMOUS
# # cas.monitor.endpoints.endpoint.info.access=ANONYMOUS
# spring.security.user.name=casuser
spring.security.user.password=Some secret, spaces are cool
# cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
Luis: for now I have all actuator access ANONYMOUS, for testing purposes
Luis: cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
What makes me think that my "CAS management => Administration => Release Attributes" “403” problem might be a bug is:
-all other CAS management features that I’ve tested work fine (eg Manage Services, Resolve Attributes)
-couldn’t find anybody on this group stating that it can use this feature correctly on cas management 6.6.2
Does my above reasoning make sense?
Hello Ray,
Regarding this subject, I finally found what my problem was.
I was passing a wrong value in "CAS management => Administration => Release Attributes => Service"
I was passing:
Username: <myUser>
Password: <mypassword>
Service: <myServiceNAME>, eg “myServiceName”
when the correct values should be
Username: <myUser>
Password: <mypassword>
Service: <myServiceURL>, eg https://.*myServiceName.*
The code below throw an UnauthorizedSsoServiceException, because registeredService was getting null, due to not matching my wrong “Service” value “myServiceName”.
org.apereo.cas.authentication.handler.RegisteredServiceAuthenticationHandlerResolver
@Override
public boolean supports(final Set<AuthenticationHandler> handlers, final AuthenticationTransaction transaction) {
val service = authenticationServiceSelectionPlan.resolveService(transaction.getService());
if (service != null) {
==> val registeredService = this.servicesManager.findServiceBy(service);
LOGGER.trace("Located registered service definition [{}] for this authentication transaction", registeredService);
if ( ==> registeredService == null <== || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
LOGGER.warn("Service [{}] is not allowed to use SSO.", service);
throw new UnauthorizedSsoServiceException();
}
CAS management called the https://localhost:8443/sso/actuator/releaseAttributes CAS server actuator in this feature/screen, with POST and the three parameters above, just as explained in the docs (https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policies.html#actuator-endpoints).
I was able to reproduce the error with curl (instead of manually testing with cas management):
curl -v -k -d '{"username":"myUser","password":"mypassword","service":"https://.*myServiceName.*"}' -H 'Content-Type: application/json' https://localhost:8443/sso/actuator/releaseAttributes.
What caused my mistake, was that “Service=myServiceName” works fine on "CAS management => Administration => RESOLVE Attributes", but it makes sense that the value passed on “Service” matches the serviceId on the JSON service registy file for my service.
In conclusion, no bug on "CAS management => Administration => Release Attributes", just my error when passing value of “Service” parameter.