CAS 5.2.4 Endpoint access

[Sam Erie]

I have been struggling to get access to development CAS v5.2.4 status endpoints. I was unable to get them unsecured and went on to add Spring Security with master user, who it is correctly validating, but somehow my IP is still not authorized. Following are relevant properties and logs. I'm confused by the fact that it should be matching any IP with .+ yet it still says Unauthorized IP address. Any help would be much appreciated.

endpoints.status.enabled=true 

endpoints.status.sensitive=false

endpoints.dashboard.enabled=true

endpoints.dashboard.sensitive=false

cas.adminPagesSecurity.ip=.+

security.user.name=admin

security.user.password=admin

 

2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <=== SECURITY ===>

2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <url: https://sanitized/cas/status>

2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <matchers: null>

2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <clients: IpClient>

2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]

 - <currentClients: [#IpClient# | name: IpClient | credentialsExtractor: null | authenticator: IpRegexpAuthenticator[.+ ]

 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599 | authorizationGenerators: [] |]>

2019-10-23 21:58:11,095 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <loadProfilesFromSession: false>

2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic] - <profiles: []>

2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]

 - <Performing authentication for direct client: #IpClient# | name: IpClient | credentialsExtractor: null | authenticator: IpRegexpAuthenticator[.+ ]

 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599 | authorizationGenerators: [] |>

2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - <Credentials validation took: 14 ms>

2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] - <Failed to retrieve or validate credentials: Unauthorized IP address: 172.21.96.74>

2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] - <Failed to retrieve or validate credentials>

org.pac4j.core.exception.CredentialsException: Unauthorized IP address: 172.21.96.74

[David Curry]

At first blush it looks like your cas.properties property names are wrong; there might be other things too that you didn't happen to quote. Here's a step-by-step for enabling them all, if you find it helpful:

https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html 

--Dave 

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com.

[Sam Erie]

Thank you very much, that did the trick. Your site is a huge help, very nice to have clear examples and explanations. The only thing I am still not sure about is how to secure the /status endpoint. 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP6HfJqfdVtX2J639vo7XnMHY_vwGaFqyp0Z7OLYqs%3DSA%40mail.gmail.com.

[David Curry]

At least in CAS 5.[1-3].x, the /status endpoint itself is secured by the IP address pattern (and nothing else). It's a Java regular expression, so you can get pretty fancy with it, though. We use something like this:

cas.adminPagesSecurity.ip:              ^192\\.168\\.(1\\.[0-9]{1,3}|2\\.1[45]|3\\.1[56])$

which permits access from any host on the 192.168.1 subnet, two hosts on the 192.168.2 subnet (.14 and .15), and two hosts on the 192.168.3 subnets (.15 and .16).

That's the "IT staff" subnet (.1), and the "inside side" of the load balancers (the production ones on .2, and the test ones on .3). The load balancers are there so they can hit /status to check that the server is up (we use a pool).

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLvRdUREtvdmYROA9NkA%3DQYne8Htv0%2Bm6SZ8XHXbfcUkA%40mail.gmail.com.