cas-overlay-template with 5.1.0 problems

[Ashley Mort]

I have been using https://github.com/apereo/cas-overlay-template which used CAS 5.0.6 which worked great for me.  However when I pull the update from 5/31/17 which bumps the CAS version to 5.1.0, I get the following new problems:

1- "Application Not Authorized to Use CAS" for all my apps

2- "You did not say the magic word!" error when I try to access /cas/status/dashboard

Can anyone please advise?  I did not see either of these issuse with the cas-overlay-template that used CAS 5.0.6 but the change in the pom.xml to use 5.1.0 results in these above issues.

Thank yoU!

[Soumya Tripathy]

Please check the serviceRegistry configuration for you application. If the url of the application you have integrated with cas is not matched with that of defined in service registry then it'll give the the errors. 

As a sample app you can use the following snippet

{

  "@class": "org.apereo.cas.services.RegexRegisteredService",

  "serviceId": "^(http|https|imaps)://.*",

  "name": "HTTPS and IMAPS",

  "id": 10000001,

  "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",

  "proxyPolicy":

  {

    "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"

  },

  "evaluationOrder": 10000,

  "usernameAttributeProvider":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",

    "canonicalizationMode": "NONE",

    "encryptUsername": false

  },

  "logoutType" : "BACK_CHANNEL",

  "attributeReleasePolicy":

  {

    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",

    "principalAttributesRepository":

    {

      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",

      "expiration": 2,

      "timeUnit": "HOURS"

    },

    "authorizedToReleaseCredentialPassword": false,

    "authorizedToReleaseProxyGrantingTicket": false,

    "excludeDefaultAttributes": false

  },

  "multifactorPolicy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",

    "failureMode": "CLOSED",

    "bypassEnabled": false

  },

  "accessStrategy":

  {

    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",

    "enabled": true,

    "ssoEnabled": true,

    "requireAllAttributes": true,

    "caseInsensitive": false

  }

}

Where serviceId is the regex which will define the url pattern for the application trying to register with cas. In the above snippet it'll allow all the apps to use cas.

[Ashley Mort]

I have not configured the ServiceRegistry at all.  Do you know how to do that in the cas-overlay-template?  Do I need the https://github.com/Apereo/cas-services-management-overlay?

In my cas-overlay-template, there is cas-server-webapp\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json which contains:

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(https|imaps)://.*",

  "name" : "HTTPS and IMAPS",

  "id" : 10000001,

  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",

  "evaluationOrder" : 10000

} 

I thought this above snippet was what allowed all my apps to "work" but maybe it's not the .json that's actually configuring my ServiceRegistry?  Any tips on how to figure out the whole ServiceRegistry thing for a newbie?

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a3cf202-47b6-4be2-a38a-7e75b3618db8%40apereo.org.

[Soumya Tripathy]

HTTPSandIMAPS-10000001.json file is the default service registry configuration file provided by cas. You can override this file by creating a same file under src/main/resources/services.

I presume your client application is hosted as a http url.
As you can see the default service Id is serviceId" : "^(https|imaps)://.*",

Which will allow only applications started with https URL or imaps.
Replace this serviceId with "^(http|https|imaps)://.*",
Which will allow all the application.

Hope this help.

Cheers
Soumya

[Ashley Mort]

Thank you for helping me understand.

In 5.1.0, I found that I had to add "cas.serviceRegistry.initFromJson=true" to my src\main\resources\application.xml for it to even read HTTPSandIMAPS-10000001.json and allow any apps.

Now that I fixed that issue, when I log out, I can still get back to my app without logging in again through CAS.

None of these issues are present in 5.0.6 so I think I will just revert to using that version for now.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/afd40f60-5d21-4391-befd-23d2f26bb3e2%40apereo.org.