CAS 7.3.5 Migration - 403 Forbidden when accessing service registry
138 views
Skip to first unread message
Mohamed Iheb JEMAI
May 4, 2026, 9:45:33 AM (9 days ago) May 4
to CAS Community
Hello,
I’m currently migrating a CAS server from version 6.6.15 to 7.3.5.
In CAS 6.6.15, we were using actuator endpoints to:
- list registered services via:
/cas/actuator/registeredServices
- import services via:
POST /cas/actuator/registeredServices/import
This was working fine with basic properties configuration.
After upgrading to CAS 7.3.5, I’m facing a consistent HTTP 403 (Forbidden) on:
/cas/actuator/registeredServices
Context:
- Spring Boot 3 / Spring Security 6
- Using basic auth with:
spring.security.user.name
spring.security.user.password
spring.security.user.roles=ACTUATOR
Configuration includes:
- management.endpoints.web.exposure.include=*
- cas.monitor.endpoints.endpoint.defaults.access=PERMIT
- cas.monitor.endpoints.endpoint.registeredServices.access=PERMIT
Despite that:
- Browser access → 403
- curl with -u → 403
Questions:
1. Is access to /actuator/registeredServices now restricted by default in CAS 7?
2. Is additional Spring Security configuration required (beyond properties)?
3. Is the import endpoint still supported in CAS 7.3.5?
Thanks in advance for your help.
I’m currently migrating a CAS server from version 6.6.15 to 7.3.5.
In CAS 6.6.15, we were using actuator endpoints to:
- list registered services via:
/cas/actuator/registeredServices
- import services via:
POST /cas/actuator/registeredServices/import
This was working fine with basic properties configuration.
After upgrading to CAS 7.3.5, I’m facing a consistent HTTP 403 (Forbidden) on:
/cas/actuator/registeredServices
Context:
- Spring Boot 3 / Spring Security 6
- Using basic auth with:
spring.security.user.name
spring.security.user.password
spring.security.user.roles=ACTUATOR
Configuration includes:
- management.endpoints.web.exposure.include=*
- cas.monitor.endpoints.endpoint.defaults.access=PERMIT
- cas.monitor.endpoints.endpoint.registeredServices.access=PERMIT
Despite that:
- Browser access → 403
- curl with -u → 403
Questions:
1. Is access to /actuator/registeredServices now restricted by default in CAS 7?
2. Is additional Spring Security configuration required (beyond properties)?
3. Is the import endpoint still supported in CAS 7.3.5?
Thanks in advance for your help.
Ray Bon
May 4, 2026, 2:03:06 PM (9 days ago) May 4
to cas-...@apereo.org
Mohamed,
You may need to add
management.endpoint.registeredServices.access=
There was a property naming change,
https://apereo.github.io/cas/7.2.x/release_notes/RC2.html#actuator-endpoints
You can see it by expanding the GET description of registeredServices and clicking on the book icon, then select the Configuration tab,
https://apereo.github.io/cas/7.3.x/services/Service-Management.html
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Mohamed Iheb JEMAI <mohamedi...@gmail.com>
Sent: May 4, 2026 01:27
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.5 Migration - 403 Forbidden when accessing service registry
Sent: May 4, 2026 01:27
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.3.5 Migration - 403 Forbidden when accessing service registry
|
You don't often get email from mohamedi...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/731049ff-becd-42ed-bcc5-6ae5cff88b83n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/731049ff-becd-42ed-bcc5-6ae5cff88b83n%40apereo.org.
Mohamed Iheb JEMAI
May 5, 2026, 7:56:06 PM (8 days ago) May 5
to CAS Community, Ray Bon
Hi Ray,
Thank you for your reply.
I added the new properties and exposed the endpoint, but I still have the same issue with /cas/actuator/registeredServices and I continue getting an access denied / 403 page.
Here is my current configuration:
management.endpoint.health.access=unrestricted
management.endpoint.info.access=read-only
management.endpoint.registeredServices.access=ANONYMOUS
management.endpoints.web.exposure.include=health,info,registeredServices
management.endpoint.info.access=read-only
management.endpoint.registeredServices.access=ANONYMOUS
management.endpoints.web.exposure.include=health,info,registeredServices
I also tested with:
cas.monitor.endpoints.endpoint.health.access=ANONYMOUS
cas.monitor.endpoints.endpoint.info.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.info.access=AUTHENTICATED
but the problem remains the same.
The endpoint is exposed, however accessing:
/cas/actuator/registeredServices
still redirects to the CAS access denied page.
Do I also need an additional module/dependency or a specific Spring Security configuration in CAS 7.3.5 for this endpoint?
Thank you.
Ray Bon
May 5, 2026, 8:43:29 PM (8 days ago) May 5
to cas-user list
Mohamed,
This one,
implementation "org.apereo.cas:cas-server-support-reports"
If you can, set all endpoint access to ANONYMOUS or UNRESTRICTED, until it is working as expected.
Ray
From: Mohamed Iheb JEMAI <mohamedi...@gmail.com>
Sent: May 5, 2026 16:04
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] CAS 7.3.5 Migration - 403 Forbidden when accessing service registry
Sent: May 5, 2026 16:04
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] CAS 7.3.5 Migration - 403 Forbidden when accessing service registry
Mohamed Iheb JEMAI
May 9, 2026, 9:21:25 AM (4 days ago) May 9
to CAS Community, Ray Bon
Hi Ray,
Thank you for your help.
I added:
implementation "org.apereo.cas:cas-server-support-reports"I also tried setting all endpoint access to anonymous, but CAS failed to start with:
No enum constant org.springframework.boot.actuate.endpoint.Access.ANONYMOUSThen I switched to:
management.endpoint.health.access=unrestricted management.endpoint.info.access=unrestricted management.endpoint.registeredServices.access=unrestricted management.endpoints.web.exposure.include=*and removed/commented old:
cas.monitor.endpoints.endpoint.*properties.
CAS now starts correctly, but I still receive the CAS “Access Denied” page when accessing:
/cas/actuator/registeredServicesCould you please share a working configuration example for CAS 7.3.5?
Thank you.
Frédéric Dussurget
May 11, 2026, 9:54:53 AM (2 days ago) May 11
to CAS Community, Mohamed Iheb JEMAI, Ray Bon
Hi Mohamed,
just in case : I had to force the flag ' -H "Content-Type: application/json" ' from 7.2.x to 7.3.X to make some of my requests to work. example, for this DELETE action :
curl -k -H "Content-Type: application/json" -X DELETE https://localhost/cas/actuator/registeredServices/20 |jq
From 7.3.x, without specifying this content-type, it stopped working.
regards
Ray Bon
May 11, 2026, 4:48:30 PM (2 days ago) May 11
to Mohamed Iheb JEMAI, CAS Community
Mohamed,
Some of the endpoints are built into spring [1], some are custom to cas. Most of the endpoints have restricted access by default.
In most [all] cases you will need two properties per endpoint:
management.enpoints.web.exposure.include=*
# these two will allow access to many, but not all, endpoints
management.endpoints.access.default=UNRESTRICTED
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
# for specific endpoint access
management.endpoint.registeredServices.access=UNRESTRICTED
management.endpoint.registeredServices.access=UNRESTRICTED
cas.monitor.endpoints.endpoint.registeredServices.access=ANONYMOUS
If you want authenticated access, set these properties [2]:
spring.security.user.password=
Unfortunately, the spring security approach means all admins use the same login /:(
I also have this import. Docs suggest that it is for statistics, but maybe it has an effect:
implementation "org.apereo.cas:cas-server-support-metrics"
Ray
From: Mohamed Iheb JEMAI <mohamedi...@gmail.com>
Sent: May 9, 2026 05:19
Reply all
Reply to author
Forward
0 new messages