Can we remove the /adminlogin URL entirely?

[Hedley Proctor]

We've recently upgraded from CAS3 to CAS6.0.3. I can see that it has an admin URL available at /adminlogin. For security, I would like to disable this admin login. I can't find much information about the admin login, but I believe it is the login for the management stats, as per:

https://apereo.github.io/cas/6.0.x/monitoring/Monitoring-Statistics.html

It looks like I can disable all of the management endpoints with:

management.endpoints.enabled-by-default=false

management.endpoints.web.exposure.include=
management.endpoints.jmx.exposure.exclude=*

However the login endpoint itself is accessible. Is there a property I can use to disable it? Or failing that, a change to the WAR overlay?

Thanks.

Hedley

[Hedley Proctor]

The approach we've ended up taking is to have a configuration class as follows:

@Configuration("myCasConfiguration")

@EnableConfigurationProperties(CasConfigurationProperties.class)

public class MyCasConfiguration implements WebMvcConfigurer {

    public void addViewControllers(ViewControllerRegistry registry) {

        // Map "/adminlogin to invalid location"

        registry.addRedirectViewController("/adminlogin", "notfound");

        registry.setOrder(Ordered.HIGHEST_PRECEDENCE);

    }

}

[Rafiek M]

Thanks for this. We also needed to remove the endpoint for security reasons. 

Op vrijdag 22 mei 2020 om 15:03:19 UTC+2 schreef Hedley Proctor:

[Juan Manuel Díaz Nevado]

Although it is an old thread, I propose a solution in case someone arrives here in the future.

If we add a rewrites.config file to the overlay, in the src/main/resources/container/tomcat/ folder, CAS will load it at the application level and the embedded tomcat will apply it for routes under /cas.

So with an entry like this: 

RewriteCond %{REQUEST_URI} ^/cas/adminlogin$
RewriteRule ^(.*)$ https://cas.example.com/cas [R=301,L]

we can block access to adminlogin.