cas-management unable to log in
84 views
Skip to first unread message
Vincent Delhommmeau
Feb 9, 2023, 12:54:01 AM2/9/23
to CAS Community
Hello,
I am trying to set up a cas-management web application 6.6.0 on a cas server 6.4.0.
After a successful cas login, this message is displayed by the cas-management application (approximate translation) :
"The CAS management application is unavailable.
An error has occurred. Please contact your support or try again"
In cas-management.log I have this (short version) :
"Unable to authorize access, since the authenticated profile does not contain any required roles"
In management.properties I tried
mgmt.userPropertiesFile=file:/etc/cas/config/users.json
and
mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
I also defined a second admin role (which should match a returned attribute) :
mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.adminRoles[1]=EHPRSI_INF
mgmt.adminRoles[1]=EHPRSI_INF
users.propertes :
# Only 'casuser' is authorized to use cas services management app
vdelhomm=notused,ROLE_ADMIN
vdelhomm=notused,ROLE_ADMIN
users.json :
{
"vdelhomm" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
"vdelhomm" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
I also created a cas attribute which is returned to th service after authentication :
attribute-def-store.json :
{
"@class" : "java.util.TreeMap",
"roles" : {
"@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "roles",
"scoped" : false,
"attribute" : "supannEntiteAffectation"
}
}
"@class" : "java.util.TreeMap",
"roles" : {
"@class" : "org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "roles",
"scoped" : false,
"attribute" : "supannEntiteAffectation"
}
}
service json file :
...
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" :
[ "java.util.ArrayList", [ "uid", "roles" ] ]
}
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" :
[ "java.util.ArrayList", [ "uid", "roles" ] ]
}
The attribute is returned, but the cas management application doesnt care about it.
I suppose that it was not a good idea.
What did I miss ?
It seems that the user is not found in users.properties or users.json
Is "uid" the correct attribute to return ?
thanks,
PS : the cas-management.log message long version :
2023-02-08 17:42:57,530 WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - Unable to authorize access, since the authenticated profile [#CasProfile# | id: vdelhomm
| attributes: {clientIpAddress=x.x.x.x, credentialType=UsernamePasswordCredential, uid=vdelhomm, isFromNewLogin=true, authenticationDate=2023-02-08T16:42:57.273849Z,
authenticationMethod=LdapAuthenticationHandler, roles=EHPRSI_INF, successfulAuthenticationHandlers=LdapAuthenticationHandler, serverIpAddress=y.y.y.y,
userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.127,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles
| attributes: {clientIpAddress=x.x.x.x, credentialType=UsernamePasswordCredential, uid=vdelhomm, isFromNewLogin=true, authenticationDate=2023-02-08T16:42:57.273849Z,
authenticationMethod=LdapAuthenticationHandler, roles=EHPRSI_INF, successfulAuthenticationHandlers=LdapAuthenticationHandler, serverIpAddress=y.y.y.y,
userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.127,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles
Ray Bon
Feb 9, 2023, 12:27:52 PM2/9/23
to cas-...@apereo.org
Vincent,
In cas management 6.5 we use this to identify the property:
mgmt.authz-attributes[0] = [attribute name with value ROLE_ADMIN]
If you are releasing the attribute, you will not need the files.
Ray
On Wed, 2023-02-08 at 09:02 -0800, Vincent Delhommmeau wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Vincent Delhommmeau
Feb 9, 2023, 12:48:49 PM2/9/23
to CAS Community, Vincent Delhommmeau
I made a typo, it is a cas server 6.6.4
Vincent Delhommmeau
Feb 11, 2023, 12:04:07 AM2/11/23
to CAS Community, Vincent Delhommmeau
Ray,
That did it, thank you !!
Now I can see the main page (cas-management/management/registry) with a menu bar on the left (CAS Services, OAuth Services ...).
But I can't do anything, and I have a new error in the log :
[org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.IllegalAccessException: You do not have permission to the domain 'default']
It is related to the services registry, which is ruled globally (default) or by domain.
The only place I see to set permissions is the users json file :
{
"casuser" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ],
"permissions" : [ "DOMAIN1" ,"DOMAIN2" ]
}
}
"casuser" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ],
"permissions" : [ "DOMAIN1" ,"DOMAIN2" ]
}
}
I changed the permissions to "default" for my user, with no change.
Is this the right way to set permissions ?
management.properties :
mgmt.userPropertiesFile=file:/etc/cas/users/users.json
tomcat has read permission on the folder and the file
Any idea ?
Reply all
Reply to author
Forward
0 new messages