Assign roles properties for CAS's user or CAS's service registry

[Napoleon Ponaparte]

Hi,

I have succeeded config CAS Overlay template 6.2.x can authenticated user that registed in MongoDB.

Here is my config:

1. CAS Properties

"name":"cas.authn.mongo.name","value":"users"
"name":"cas.authn.mongo.database-name","value":"users"
"name":"cas.authn.mongo.collection","value":"users"
"name":"cas.authn.mongo.username-attribute","value":"username"
"name":"cas.authn.mongo.password-attribute","value":"password"
"name":"cas.authn.mongo.user-id","value":"casuser"
"name":"cas.authn.mongo.password","value":"Mellon"

"name":"cas.authn.mongo.attributes","value":"lastname,useremail,usertel"
"name":"cas.authn.mongo.clientUri","value":"mongodb://casuser:Mellon@IP:port/users?authSource=admin&readPreference=primary&appname=MongoDB%20Compass%20Community&ssl=false"

2. And this is user properties in User collecion

"username":"root",

"password":"root",

"lastname":"VNPT ADMIN",

"useremail":"xxx",

"usertel":"xxx"

But,  I have faced with problem about CAS Management Web App service.

Here is CAS Management Web App log:

WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize access, since the authenticated profile [#CasProfile# | id: root | attributes: {credentialType=UsernamePasswordCredential, isFromNewLogin=false, authenticationDate=2020-08-26T08:51:16.865441Z[UTC], authenticationMethod=users, successfulAuthenticationHandlers=users, longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles>

Here is my service registry for CAS Manaement Web App:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId":"^https://cas-server-domain:8088/cas-management.+",
  "name" : "casManagement",
  "id" : 1,
  "evaluationOrder" : 1,
  "allowedAttributes":["cn","mail"]
}

CAS server succeed create and authorized access token for user (id = root) but CAS Management missing user's role.

I don't know how to assign ROLE for user or indicate user's role fixed in service registry.

Please help me.

Thank you in advance.

[Victor Manuel Contreras Ponce]

No melo podrá mandar en español 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d45135e1-e8d4-4f55-9e49-02e1d825c18bn%40apereo.org.

[Nguyen Tran Thanh Lam]

Sorry,

Could you use English, please?

Vào Th 5, 27 thg 8, 2020 vào lúc 22:28 Victor Manuel Contreras Ponce <victormanuelco...@gmail.com> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGdHp3kNTDV6aDh%2BnB88Xnf7v9V4c%3DnSjAYRJb%3DstuBWac0JyA%40mail.gmail.com.

[Jérôme LELEU]

Hi,

You need to add a users.json (or users.yml in YAML format) file in the classpath.

For example:

{
 "casuser" : {
   "roles" : [ "ROLE_ADMIN" ]
 }
}

Thanks.

Best regards,

Jérôme

[Nguyen Tran Thanh Lam]

Hi Mr Jérôme LELEU,

Yes I know this configuration but I have inconvenient process when I create new user.
It means, when I create new user in MongoDB, CAS Overlay can authenticated new user (I must not restart cas service) but with CAS Management Web App, I must add this role for new user to user.json file and restart CAS Management Web App service.

For example:

First:

I have already had one user with username is casuser and password =x1.
I could use casuser/x1 as CAS's account to use CAS Overlay and CAS Management Web app feature.

Next:

I add new user  with username is casuser2 and password =x2.

I could use casuser2/x2 as CAS's account to use CAS Overlay feature.
But with CAS Management Web App, I need modified user.json file like this

{
 "casuser" : {
   "roles" : [ "ROLE_ADMIN" ]
 },
  
"casuser2" : {
   "roles" : [ "ROLE_ADMIN" ]
 },
}

Then restart CAS Management service. After that, I could use this casuser2 account for CAS Management Web App.

It's very inconvenient, thus I hope any way to fix this role for all users.

Please help me.

Thank you in advance.

Vào Th 2, 31 thg 8, 2020 vào lúc 13:44 Jérôme LELEU <lel...@gmail.com> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LydnJDBBuVcJzjGPE6bVPOQUAZkEaxz6J25bcT0kzKO_Q%40mail.gmail.com.

[Ray Bon]

Nguyen,

I am at this point in configuring cas management too.

Our 4.x deploy of cas management used to look up the user in ldap (you would use mongo), and get the ADMIN attribute there. But the 6.1 version does not seem to use ldap (I configured it but no calls to ldap were made).

Cas management uses cas protocol 3, which means that attributes can be returned. I have configured this and I am returning roles=[ADMIN]. This also seems to be ignored.

Perhaps one of the developers of cas management could comment if the .json file is the only way to identify users and roles.

Ray

On Mon, 2020-08-31 at 14:02 +0700, Nguyen Tran Thanh Lam wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Nguyen Tran Thanh Lam]

Hi Ray,

Could you show me your config that returned properties roles=[ADMIN]?

And

Have you ever tried return this:

roles=[ROLE_ADMIN]

Like user.json

{

 "casuser" : {

  "roles" : [ "ROLE_ADMIN" ]

 }
}

Since my CAS Management Error log like bellow:

WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize access, since the authenticated profile [#CasProfile# | id: root | attributes: {credentialType=UsernamePasswordCredential, isFromNewLogin=false, authenticationDate=2020-08-26T08:51:16.865441Z[UTC], authenticationMethod=users, successfulAuthenticationHandlers=users, longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles>

And I guess, If we could fill roles: [] (in red) become role: [ADMIN_ROLE], it will run.

Thank you.

Vào Th 2, 31 thg 8, 2020 vào lúc 23:12 Ray Bon <rb...@uvic.ca> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c480bff7770629a1cefb115add03a25d5e8e2e32.camel%40uvic.ca.

[Ray Bon]

Nguyen,

I configured cas properties for attributes (since the admins are under a different tree, than the authentication tree) and the role is in the description attribute:

cas.authn.attributeRepository.ldap[2].id=administrators

cas.authn.attributeRepository.ldap[2].order=2

cas.authn.attributeRepository.ldap[2].attributes.uvicEduPersonYubiKeyID=uvicEduPersonYubiKeyID

cas.authn.attributeRepository.ldap[2].attributes.eduPersonEntitlement=eduPersonEntitlement

cas.authn.attributeRepository.ldap[2].attributes.description=description

cas.authn.attributeRepository.ldap[2].ldapUrl=ldaps://ldaplocal.uvic.ca:636

cas.authn.attributeRepository.ldap[2].connectTimeout=PT3S

cas.authn.attributeRepository.ldap[2].baseDn=ou=administrators,ou=CAS,ou=applications,dc=uvic,dc=ca

cas.authn.attributeRepository.ldap[2].subtreeSearch=true

cas.authn.attributeRepository.ldap[2].searchFilter=uid={user}

cas.authn.attributeRepository.ldap[2].bindDn=cn=Auth Manager,ou=CAS,ou=UVON,ou=administrators,dc=uvic,dc=ca

cas.authn.attributeRepository.ldap[2].bindCredential=

I then modified the service definition to return a mapped attribute (description -> roles):

{

  "@class": "org.apereo.cas.services.RegexRegisteredService",

  "serviceId": "^https://local\\.uvic\\.ca/cas-management/.*",

  "name": "Services Management Web Application on local",

  "id": 50,

  "description": "Services Management Web Application on developer workstation",

  "expirationPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy",

    "deleteWhenExpired": false,

    "notifyWhenDeleted": false,

    "notifyWhenExpired": false

  },

  "proxyPolicy":

  {

    "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"

  },

  "proxyTicketExpirationPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy",

    "numberOfUses": 0

  },

  "serviceTicketExpirationPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy",

    "numberOfUses": 0

  },

  "evaluationOrder": 0,

  "usernameAttributeProvider":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",

    "canonicalizationMode": "NONE",

    "encryptUsername": false

  },

  "logoutType": "BACK_CHANNEL",

  "requiredHandlers":

  [

    "java.util.HashSet",[]

  ],

  "environments":

  [

    "java.util.HashSet",[]

  ],

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",

    "allowedAttributes":

    {

      "@class": "java.util.TreeMap",

      "description":

      [

        "java.util.ArrayList",

        [

          "roles"

        ]

      ]

    },

    "principalAttributesRepository":

    {

      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "mergingStrategy": "MULTIVALUED",

      "ignoreResolvedAttributes": false

    },

    "consentPolicy":

    {

      "@class": "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy",

      "enabled": true,

      "order": 0

    },

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": false,

    "excludeDefaultAttributes": false,

    "authorizedToReleaseAuthenticationAttributes": true,

    "order": 0

  },

  "multifactorPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "multifactorAuthenticationProviders":

    [

      "java.util.HashSet",[]

    ],

    "failureMode": "CLOSED",

    "bypassEnabled": false,

    "forceExecution": false,

    "bypassTrustedDeviceEnabled": false

  },

  "logoutUrl": "https://local.uvic.ca/cas/logout",

  "accessStrategy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "order": 0,

    "enabled": true,

    "ssoEnabled": true,

    "delegatedAuthenticationPolicy":

    {

      "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",

      "allowedProviders":

      [

        "java.util.ArrayList",[]

      ],

      "permitUndefined": true,

      "exclusive": false

    },

    "requireAllAttributes": true,

    "requiredAttributes":

    {

      "@class": "java.util.LinkedHashMap",

      "description":

      [

        "java.util.HashSet",

        [

          "ADMIN"

        ]

      ]

    },

    "rejectedAttributes":

    {

      "@class": "java.util.LinkedHashMap"

    },

    "caseInsensitive": false

  },

  "properties":

  {

    "@class": "java.util.LinkedHashMap",

    "test":

    {

      "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",

      "values":

      [

        "java.util.HashSet",

        [

          "FALSE"

        ]

      ]

    }

  },

  "contacts":

  [

    "java.util.ArrayList",[]

  ]

}

I am going to edit our ldap data today to change from ADMIN to ROLE_ADMIN. (I got the attribute release working on Friday.)

You can see the attributes in cas management with this logging

        <AsyncLogger name="org.pac4j.cas.client" level="trace" />

        <AsyncLogger name="org.pac4j.cas.credentials" level="trace" />

and release in cas with 

        <!-- DEBUG Found principal attributes [...] for [username]

                   Attribute policy [???] allows release of [...] for [username]

                   Final collection of attributes allowed are: [...] -->

        <AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug"/>

Ray

[Nguyen Tran Thanh Lam]

Hi Mr Ray,

I have checked again with your service register for CAS Management but it have this error:

This is CAS Server log

=============================================================
WHO: root
WHAT: [result=Service Access Denied,service=https://casoverlay.vdc2.com.vn:8088/c...,principal=SimplePrincipal(id=root, attributes={userstatus=[ACTIVE], roles=[ROLE_ADMIN], usertype=[ADMIN_VNPT], usertel=[0907888510], lastname=[VNPT ADMIN], comdepartment=[GP2], _id=[5ebd04f32f3700008500220a], comid=[VNPT], userparentid=[], usercode=[VNPT001], userdate=[19-04-2020], useremail=[nguyentra...@vnpt.vn]}),requiredAttributes={description=[ROLE_ADMIN]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Mon Aug 31 21:10:39 PDT 2020
CLIENT IP ADDRESS: 203.162.36.241
SERVER IP ADDRESS: 203.162.141.22
=============================================================

And this is CAS Management error

So tired, I decide skip this issue and hop CAS developer team will fix this problem.

Thank you Mr Ray.

Vào Th 3, 1 thg 9, 2020 vào lúc 00:36 Ray Bon <rb...@uvic.ca> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abda5d050659e6e2ef908a755c8b9e134283b252.camel%40uvic.ca.

[Jérôme LELEU]

Hi,

Depending on your configuration, you have several options: either pick up static roles (but I don't think this is what you want) or take some user's attributes as roles or use the users file.

See: https://github.com/apereo/cas-management/blob/master/config/cas-mgmt-config-authz/src/main/java/org/apereo/cas/mgmt/config/CasManagementAuthorizationConfiguration.java#L39

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEjUsAimwpSpM0PV15%2BNp-jSeQpR5A_JduajPWy4Lv8RZPetfA%40mail.gmail.com.

[Nguyen Tran Thanh Lam]

Hi Jérôm,

Exactly what i wanted, I want to setup static roles for all user with CAS Management Web App service.

If you know how to setup, please help me.

Thank you in advance.

Regards

-------

Thanh Lam

Vào Th 3, 1 thg 9, 2020 vào lúc 13:19 Jérôme LELEU <lel...@gmail.com> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxYPF-%2B4d12qkokY6Rq8X1DT40SHYNuO4A9SnWpbbJYgw%40mail.gmail.com.

[Jérôme LELEU]

Hi,

Reading the code, you need to setup a * for the authzAttributes property.

Something like this in your management.properties file: mgmt.authzAttributes[0]=*

Thanks.

Best regards,

Jérôme

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEjUsAhAF9DT_giYZ--4cMQRcLrkB0WUwXyZMKJu6H2-OMaxSg%40mail.gmail.com.

[Nguyen Tran Thanh Lam]

Hi Jérôm,

I have done.

Thank you very much.

Vào Th 3, 1 thg 9, 2020 vào lúc 13:40 Jérôme LELEU <lel...@gmail.com> đã viết:

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwYmdyNakf4X_Ned%2BZvw%3D0pA_JSyV6g0kn9OxqcB-BLCw%40mail.gmail.com.