How do I enable /status (admin monitoring) page with CAS 5.1.0?
4,645 views
Skip to first unread message
crdaudt
Jun 26, 2017, 4:29:20 PM6/26/17
to CAS Community
I have set up a test instance of a CAS 5.1.0 server running under tomcat with a fairly minimal configuration. I would like to enable the /status from my workstation's IP address (or better yet, two or three ranges of IP addresses). I am not able to make sense of the documentation for how to accomplish this (https://apereo.github.io/cas/5.1.x/installation/Monitoring-Statistics.html, https://apereo.github.io/cas/5.1.x/installation/Configuring-Monitoring.html, and https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html). When I attempt to visit https://<CAS_URL>/cas/status, I am directed to an error pages that states "YOU DID NOT SAY THE MAGIC WORD!" and "We are sorry. You do not have permission to view this page".
Here is what I have so far:
----------BEGIN cas.properties-----------
cas.server.name: https://my.test.cas.server
cas.server.prefix: https://my.test.cas.server/cas
cas.host.name: my.test.cas.server
logging.config: file:/etc/cas/config/log4j2.xml
###cas.authn.accept.users=casuser::Mellon
cas.authn.accept.users=
#ldap stuff:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://my.ldap.server:636/
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].trustCertificates=file:/etc/cas/certificates_to_trust/i_trust_this_ca.cer
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].principalAttributeID=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sAMAccountName,displayName,mail,memberOf,description:UDC_IDENTIFIER
cas.authn.ldap[0].baseDn=dc=xxx,dc=yyy,dc=edu
cas.authn.ldap[0].bindDn=cn=ldap,cn=Users,dc=xxx,dc=yyy,dc=edu
cas.authn.ldap[0].bindCredential=XXXXXXXXXX
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=500
cas.authn.ldap[0].prunePeriod=600
cas.authn.ldap[0].blockWaitTime=5000
## attempting to grant /status privilege to the workstation with the following IP address
cas.adminPagesSecurity.ip=10\.11\.12\.13
----------END cas.properties-----------
For deploying CAS with maven overlay, I used the following for pom.xml:
----------BEGIN pom.xml-----------
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd ">
<modelVersion>4.0.0</modelVersion>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-overlay</artifactId>
<packaging>war</packaging>
<version>1.0</version>
<build>
<plugins>
<plugin>
<groupId>com.rimerosolutions.maven.plugins</groupId>
<artifactId>wrapper-maven-plugin</artifactId>
<version>0.0.4</version>
<configuration>
<verifyDownload>true</verifyDownload>
<checksumAlgorithm>MD5</checksumAlgorithm>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${springboot.version}</version>
<configuration>
<mainClass>org.springframework.boot.loader.WarLauncher</mainClass>
<addResources>true</addResources>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.6</version>
<configuration>
<warName>cas</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF
</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.3</version>
</plugin>
</plugins>
<finalName>cas</finalName>
</build>
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.ldaptive</groupId>
<artifactId>ldaptive-unboundid</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
<properties>
<cas.version>5.1.0</cas.version>
<springboot.version>1.5.3.RELEASE</springboot.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<repositories>
<repository>
<id>sonatype-releases</id>
<url>http://oss.sonatype.org/content/repositories/releases/</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<enabled>true</enabled>
</releases>
</repository>
<repository>
<id>sonatype-snapshots</id>
<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
<releases>
<enabled>false</enabled>
</releases>
</repository>
<repository>
<id>shibboleth-releases</id>
<url>https://build.shibboleth.net/nexus/content/repositories/releases</url>
</repository>
<repository>
<id>spring-milestones</id>
<url>https://repo.spring.io/milestone</url>
</repository>
</repositories>
<profiles>
<profile>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<id>pgp</id>
<build>
<plugins>
<plugin>
<groupId>com.github.s4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.1.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<pgpKeyServer>hkp://pool.sks-keyservers.net</pgpKeyServer>
<pgpKeysCachePath>${settings.localRepository}/pgpkeys-cache</pgpKeysCachePath>
<scope>test</scope>
<verifyPomFiles>true</verifyPomFiles>
<failNoSignature>false</failNoSignature>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
----------END pom.xml-----------
Here is what I have so far:
----------BEGIN cas.properties-----------
cas.server.name: https://my.test.cas.server
cas.server.prefix: https://my.test.cas.server/cas
cas.host.name: my.test.cas.server
logging.config: file:/etc/cas/config/log4j2.xml
###cas.authn.accept.users=casuser::Mellon
cas.authn.accept.users=
#ldap stuff:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://my.ldap.server:636/
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].trustCertificates=file:/etc/cas/certificates_to_trust/i_trust_this_ca.cer
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].principalAttributeID=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sAMAccountName,displayName,mail,memberOf,description:UDC_IDENTIFIER
cas.authn.ldap[0].baseDn=dc=xxx,dc=yyy,dc=edu
cas.authn.ldap[0].bindDn=cn=ldap,cn=Users,dc=xxx,dc=yyy,dc=edu
cas.authn.ldap[0].bindCredential=XXXXXXXXXX
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=500
cas.authn.ldap[0].prunePeriod=600
cas.authn.ldap[0].blockWaitTime=5000
## attempting to grant /status privilege to the workstation with the following IP address
cas.adminPagesSecurity.ip=10\.11\.12\.13
----------END cas.properties-----------
For deploying CAS with maven overlay, I used the following for pom.xml:
----------BEGIN pom.xml-----------
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd ">
<modelVersion>4.0.0</modelVersion>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-overlay</artifactId>
<packaging>war</packaging>
<version>1.0</version>
<build>
<plugins>
<plugin>
<groupId>com.rimerosolutions.maven.plugins</groupId>
<artifactId>wrapper-maven-plugin</artifactId>
<version>0.0.4</version>
<configuration>
<verifyDownload>true</verifyDownload>
<checksumAlgorithm>MD5</checksumAlgorithm>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>${springboot.version}</version>
<configuration>
<mainClass>org.springframework.boot.loader.WarLauncher</mainClass>
<addResources>true</addResources>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.6</version>
<configuration>
<warName>cas</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${project.build.directory}/war/work/org.apereo.cas/cas-server-webapp/META-INF/MANIFEST.MF
</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.3</version>
</plugin>
</plugins>
<finalName>cas</finalName>
</build>
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.ldaptive</groupId>
<artifactId>ldaptive-unboundid</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
<properties>
<cas.version>5.1.0</cas.version>
<springboot.version>1.5.3.RELEASE</springboot.version>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<repositories>
<repository>
<id>sonatype-releases</id>
<url>http://oss.sonatype.org/content/repositories/releases/</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<enabled>true</enabled>
</releases>
</repository>
<repository>
<id>sonatype-snapshots</id>
<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
<releases>
<enabled>false</enabled>
</releases>
</repository>
<repository>
<id>shibboleth-releases</id>
<url>https://build.shibboleth.net/nexus/content/repositories/releases</url>
</repository>
<repository>
<id>spring-milestones</id>
<url>https://repo.spring.io/milestone</url>
</repository>
</repositories>
<profiles>
<profile>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<id>pgp</id>
<build>
<plugins>
<plugin>
<groupId>com.github.s4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.1.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<configuration>
<pgpKeyServer>hkp://pool.sks-keyservers.net</pgpKeyServer>
<pgpKeysCachePath>${settings.localRepository}/pgpkeys-cache</pgpKeysCachePath>
<scope>test</scope>
<verifyPomFiles>true</verifyPomFiles>
<failNoSignature>false</failNoSignature>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
----------END pom.xml-----------
kjlorenzo
Jun 27, 2017, 2:51:55 AM6/27/17
to CAS Community
Hi.
I have the same trouble and I am doing different tests to see if I give with the solution. The documentation is not complete and you do not expect to be answered with the solution, this is no longer jasig, where the developers worked hard.
If I find the solution, I'll send it to you.
Regards.
Michael Kotowski
Jun 27, 2017, 3:23:59 AM6/27/17
to CAS Community
Same issue here. In 5.0.5 it was sufficient to set cas.adminPagesSecurity.ip, but with 5.1.0 I have the same issue.
But, with 5.1.0 there is also a big bunch of new properties ... will play with them.
5.0.x: https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#admin-status-endpoints
5.1.x: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#spring-boot-endpoints
But, with 5.1.0 there is also a big bunch of new properties ... will play with them.
5.0.x: https://apereo.github.io/cas/5.0.x/installation/Configuration-Properties.html#admin-status-endpoints
5.1.x: https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#spring-boot-endpoints
Matt S.
Jun 27, 2017, 8:40:22 AM6/27/17
to CAS Community
Same issue. Worked fine in 5.0.6, and the docs suggest that the same is available in 5.1.0/5.1.1, sadly doesn't work the same.
Similarly, the additional support for different kinds of security (Basic authentication, LDAP, etc) should be just that, additional support if desired, not a requirement.
If anyone figures this out, please share. Thanks.
Iain Workman
Jun 27, 2017, 10:20:52 AM6/27/17
to CAS Community
Had the same issue in the transfer, and it seems to end up being an error in the documentation, which suggests setting the following:
# Globally control whether endpoints are enabled
# or marked as sesitive to require authentication.
endpoints.enabled=true
endpoints.sensitive=falseHowever neither of these has any effect on the behaviour of the admin page. Instead I used the following:
cas.monitor.endpoints.enabled=truecas.monitor.endpoints.sensitive=falseWith those in place, and with the
cas.adminPagesSecurity.ip:
properly set this worked for me.
Julien Whizz
Jun 27, 2017, 11:05:38 AM6/27/17
to jasig-cas-user, cas-...@apereo.org, crd...@taylor.edu
It doesn't work for me.
I'm using maven release 5.1.1
- LDAP login on CAS (https://myserver:8443/cas/login : AUTHENTICATION_SUCCESS
- Acces to the /status or /status/dashboard : "YOU DID NOT SAY THE MAGIC WORD!....."
And i've only this on my cas.log :
Here my cas.properties
I'm using maven release 5.1.1
- LDAP login on CAS (https://myserver:8443/cas/login : AUTHENTICATION_SUCCESS
- Acces to the /status or /status/dashboard : "YOU DID NOT SAY THE MAGIC WORD!....."
And i've only this on my cas.log :
2017-06-27 16:43:06,813 DEBUG [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Decrypting value...>
2017-06-27 16:43:06,814 DEBUG [org.apereo.cas.web.support.DefaultCasCookieValueManager] - <Decoded cookie value is [TGT-**********************************************akVFmisFU9-SERVER@10.6.200.43@Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko]>
2017-06-27 16:43:06,814 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport.getAuthenticatedPrincipalFrom]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-06-27 16:43:06,814 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistrySupport.getAuthenticatedPrincipalFrom]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2017-06-27 16:43:06,814 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2017-06-27 16:43:06,814 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Resuming suspended transaction after completion of inner transaction>
2017-06-27 16:43:06,815 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>Here my cas.properties
cas.server.name=https://server.domain.prive.fr:8443 cas.server.prefix=https://server.domain.prive.fr:8443/cas logging.config: file:/etc/cas/config/log4j2.xml #======================================== # Authentication #======================================== cas.authn.accept.users= #======================================== ## Embedded Tomcat HTTP/AJP ## Enable HTTP/AJP connections for the embedded Tomcat container. #======================================== cas.server.http.enabled=false #======================================== # LDAP : #======================================== cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldap://domain.prive.fr cas.authn.ldap[0].useSsl=false cas.authn.ldap[0].baseDn=dc=domain,dc=prive,dc=fr cas.authn.ldap[0].userFilter=sAMAccountName={user} cas.authn.ldap[0].bindDn=CN=BIND Ldap,OU=Technique,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domain,DC=prive,DC=fr cas.authn.ldap[0].bindCredential=password cas.authn.attributeRepository.ldap.ldapUrl=Ldap://domain.prive.fr cas.authn.attributeRepository.ldap.minPoolSize=3 cas.authn.attributeRepository.ldap.maxPoolSize=10 cas.authn.attributeRepository.ldap.validateOnCheckout=false cas.authn.attributeRepository.ldap.validatePeriodically=true cas.acceptableUsagePolicy.ldap.ldapUrl=Ldap://domain.prive.fr cas.acceptableUsagePolicy.ldap.baseDn=dc=domain,dc=prive,dc=fr cas.acceptableUsagePolicy.ldap.userFilter=sAMAccountName={user} cas.acceptableUsagePolicy.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.acceptableUsagePolicy.ldap.connectTimeout=5000 cas.acceptableUsagePolicy.ldap.minPoolSize=3 cas.acceptableUsagePolicy.ldap.maxPoolSize=10 cas.acceptableUsagePolicy.ldap.validateOnCheckout=true cas.acceptableUsagePolicy.ldap.validatePeriodically=true cas.acceptableUsagePolicy.ldap.validatePeriod=600 cas.acceptableUsagePolicy.ldap.idleTime=500 cas.acceptableUsagePolicy.ldap.prunePeriod=600 cas.acceptableUsagePolicy.ldap.blockWaitTime=5000 cas.acceptableUsagePolicy.ldap.useStartTls=false cas.serviceRegistry.ldap.idAttribute=sAMAccountName cas.serviceRegistry.ldap.ldapUrl=Ldap://domain.prive.fr cas.serviceRegistry.ldap.baseDn=dc=domain,dc=prive,dc=fr cas.serviceRegistry.ldap.bindDn=CN=BIND Ldap,OU=Technique,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domain,DC=prive,DC=fr cas.serviceRegistry.ldap.bindCredential=password cas.serviceRegistry.ldap.useSsl=false cas.mgmt.ldapAuthz.rolePrefix=ROLE_ cas.mgmt.ldapAuthz.searchFilter=cn={user} cas.mgmt.ldapAuthz.roleAttribute=uugid cas.mgmt.ldapAuthz.ldapUrl=Ldap://domain.prive.fr cas.mgmt.ldapAuthz.baseDn=dc=domain,dc=prive,dc=fr cas.mgmt.ldapAuthz.userFilter=sAMAccountName={user} cas.mgmt.ldapAuthz.bindDn=CN=BIND Ldap,OU=Technique,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domain,DC=prive,DC=fr cas.mgmt.ldapAuthz.bindCredential=password cas.mgmt.ldapAuthz.useSsl=false cas.adminPagesSecurity.ldap.type=AUTHENTICATED cas.adminPagesSecurity.ldap.ldapUrl=Ldap://domain.prive.fr cas.adminPagesSecurity.ldap.useSsl=false cas.adminPagesSecurity.ldap.baseDn=dc=domain,dc=prive,dc=fr cas.adminPagesSecurity.ldap.userFilter=sAMAccountName={user} cas.adminPagesSecurity.ldap.bindDn=CN=BIND Ldap,OU=Technique,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domain,DC=prive,DC=fr cas.adminPagesSecurity.ldap.bindCredential=password cas.monitor.ldap.ldapUrl=Ldap://domain.prive.fr cas.monitor.ldap.baseDn=dc=domain,dc=prive,dc=fr cas.monitor.ldap.userFilter=sAMAccountName={user} cas.monitor.ldap.bindDn=CN=BIND Ldap,OU=Technique,OU=D.S.I.,OU=ADMINISTRATIFS,DC=domain,DC=prive,DC=fr cas.monitor.ldap.bindCredential=password cas.monitor.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider cas.monitor.ldap.useSsl=false #======================================== # Management Webapp #======================================== cas.mgmt.adminRoles=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties #======================================== # Admin Status Endpoints # The following properties describe access controls and settings for the /status endpoint of CAS which provides administrative functionality and oversight into the CAS software. To learn more about this topic, please review this guide. #======================================== cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.monitor.endpoints.dashboard.enabled=true cas.monitor.endpoints.dashboard.sensitive=false cas.monitor.endpoints.status.enabled=true cas.monitor.endpoints.status.sensitive=false cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties cas.adminPagesSecurity.adminRoles=ROLE_ADMIN cas.adminPagesSecurity.ip= #======================================== # Service Registry #======================================== cas.serviceRegistry.watcherEnabled=true cas.serviceRegistry.initFromJson=true
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b694d5ab-6e73-42dc-a784-36bcdda42925%40apereo.org.
crdaudt
Jun 27, 2017, 11:42:51 AM6/27/17
to CAS Community
Iain, Thank you, this worked for me. I have only able to specify a single ip address, not an address with a subnet mask or multiple ip addresses. Are you or anyone else able to assist with that?
Iain Workman
Jun 27, 2017, 2:19:58 PM6/27/17
to CAS Community
The cas.adminPagesSecurity.ip setting is interpreted as a regex which the sending ip of the request is matched against. If you can form a regex which will match only the required ips that will work.
vallee.romain
Jun 28, 2017, 2:59:01 AM6/28/17
to CAS Community, jasig-c...@googlegroups.com, crd...@taylor.edu
Bonjour Julien,
j'aurais quelques questions à vous poser au sujet de la version 5.1.
Auriez vous qq minutes à m'accorder ? ( par téléphone )
Merci beaucoup
Cordialement
crdaudt
Jun 28, 2017, 11:49:08 AM6/28/17
to CAS Community
Thanks Iain. I have this working now for only filtering with IP addresses. For those interested, I have the following in my cas.properties file:
----BEGIN snippet from cas.properties----
...
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false
cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17
----END----
However, to pick up on Julien's issue, I am not able to get this working if I further restrict this to users logged in who are specified as authorized users in my adminusers.properties file.
Here is what I have:
----BEGIN snippet from cas.properties----
...
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false
cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17
cas.adminPagesSecurity.loginUrl=https://my.test.cas.server/cas/login
cas.adminPagesSecurity.service=https://my.test.cas.server/cas/status/dashboard
cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.initFromJson=true
----END----
And here are the contents of my adminusers.properties file (for now, I only have my username listed):
----BEGIN adminusers.properties----
user=crdaudt,ROLE_ADMIN
----END----
My results are as follows:
--When I visit https://my.test.cas.server/cas/status/dashboard, I am redirected to login.
--When I log in, my logs show the following:
----BEGIN log snippet----
>
2017-06-28 11:42:01,961 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: TGT-**********************************************kloPuBba1M-my.test.cas.server
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:01 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
>
2017-06-28 11:42:02,001 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server for https://my.test.cas.server/cas/status/dashboard
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:02 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
>
2017-06-28 11:42:02,206 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:02 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
----END----
I am then redirected to https://my.test.cas.server/cas/status/dashboard?ticket=ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server, and informed that: "YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!".
Any suggestions?
----BEGIN snippet from cas.properties----
...
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false
cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17
----END----
However, to pick up on Julien's issue, I am not able to get this working if I further restrict this to users logged in who are specified as authorized users in my adminusers.properties file.
Here is what I have:
----BEGIN snippet from cas.properties----
...
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false
cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17
cas.adminPagesSecurity.loginUrl=https://my.test.cas.server/cas/login
cas.adminPagesSecurity.service=https://my.test.cas.server/cas/status/dashboard
cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.initFromJson=true
----END----
And here are the contents of my adminusers.properties file (for now, I only have my username listed):
----BEGIN adminusers.properties----
user=crdaudt,ROLE_ADMIN
----END----
My results are as follows:
--When I visit https://my.test.cas.server/cas/status/dashboard, I am redirected to login.
--When I log in, my logs show the following:
----BEGIN log snippet----
>
2017-06-28 11:42:01,961 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: TGT-**********************************************kloPuBba1M-my.test.cas.server
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:01 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
>
2017-06-28 11:42:02,001 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server for https://my.test.cas.server/cas/status/dashboard
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:02 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
>
2017-06-28 11:42:02,206 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: crdaudt
WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jun 28 11:42:02 EDT 2017
CLIENT IP ADDRESS: 10.11.12.13
SERVER IP ADDRESS: 10.10.10.100
=============================================================
----END----
I am then redirected to https://my.test.cas.server/cas/status/dashboard?ticket=ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server, and informed that: "YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!".
Any suggestions?
Julien Whizz
Jun 28, 2017, 3:36:16 PM6/28/17
to cas-...@apereo.org
I have the same problem, and I encounter a similar error to access /cas-management
No error in the logs (DEBUG)
For ranges Security.ip think is like this : No error in the logs (DEBUG)
cas.adminPagesSecurity.ip=(10)(\.(1|2|3|4|5|6|7))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2}
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/873b7de0-f4ca-405d-8915-83a7d1dcc775%40apereo.org.
Julien Whizz
Jun 28, 2017, 3:36:16 PM6/28/17
to cas-...@apereo.org
Hi,
I think IS : crdaudt=pwdnotuse,ROLE_ADMIN
No ?
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e315e2f4-4290-46d9-8680-29b7f5f62e10%40apereo.org.
crdaudt
Jun 28, 2017, 5:16:33 PM6/28/17
to CAS Community
Thanks Julien. With your suggested change, /staus/dashboard is now working for me.
I changed my entry for adminusers.properties to 'crdaudt=pwdnotuse,ROLE_ADMIN' (i.e., as you suggested).
I changed the value of cas.adminPagesSecurity.ip to allow the ip address ranges of 10.11.12.0/24 and 14.15.16.0/24 as follows:
cas.adminPagesSecurity.ip=^10\.11\.12\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^14\.15\.16\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
My other parameters are as listed above.
One further question: What does '=pwdnotuse' mean? Is this documented somewhere?
Other than that, my issue is resolved. Thanks all!
p.s. -- looking forward to more complete, updated documentation some day, and perhaps some more examples. Thanks for everyone's good hard work.
I changed my entry for adminusers.properties to 'crdaudt=pwdnotuse,ROLE_ADMIN' (i.e., as you suggested).
I changed the value of cas.adminPagesSecurity.ip to allow the ip address ranges of 10.11.12.0/24 and 14.15.16.0/24 as follows:
cas.adminPagesSecurity.ip=^10\.11\.12\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^14\.15\.16\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$
My other parameters are as listed above.
One further question: What does '=pwdnotuse' mean? Is this documented somewhere?
Other than that, my issue is resolved. Thanks all!
p.s. -- looking forward to more complete, updated documentation some day, and perhaps some more examples. Thanks for everyone's good hard work.
No ?
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Julien Whizz
Jun 29, 2017, 2:12:03 PM6/29/17
to jasig-cas-user, cas-...@apereo.org, crd...@taylor.edu
Here : https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#spring-boot-endpoints
When i try to install Endpoint :)
When i try to install Endpoint :)
# casuser: This is the authenticated user id received from CAS
# notused: This is the password field that isn’t used by CAS. You could literally put any value you want in its place.
# ROLE_ADMIN: Role assigned to the authorized user, which is then cross checked against CAS configuration.
# exemple : casuser=notused,ROLE_ADMIN
myuser=notused,ROLE_ADMIN
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f2ce34f-8a54-4a2b-91a4-54aa1d6a2606%40apereo.org.
SBUser
Aug 22, 2018, 3:27:45 PM8/22/18
to CAS Community, jasig-c...@googlegroups.com, crd...@taylor.edu, whiz...@gmail.com
Have any of you guys able to set this up using CAS v 5.3.2?
I have tried everything document in this post and elsewhere for couple day to no avail.
Specifically, I'm getting "Access Denied" while trying to access https://<my-server-name>:8443/cas/status/dashboard after successfully signing in with ROLE_ADMIN user id from one single IP address of my second machine (IP: xxx.xxx.x.xxx)
-------------- application.properties -------------------
cas.monitor.endpoints.enabled=true
cas.monitor.endpoints.sensitive=false
cas.adminPagesSecurity.ip=127\.0\.0\.1|xxx\.xxx\.x\.xxx
endpoints.restart.enabled=false
endpoints.shutdown.enabled=false
management.security.enabled=true
management.security.roles=ACTUATOR,ROLE_ADMIN
management.security.sessions=if_required
management.context-path=/status
management.add-application-context-header=false
.
.
.
cas.authn.accept.users=casadmin::<my-password>
----------------------------------------------------------------
------------- adminusers.properties -------------------
casadmin=notused,ROLE_ADMIN
----------------------------------------------------------------
------------------- cas.properties ------------------------
cas.adminPagesSecurity.loginUrl=https://<my-server-name>:8443/cas/login
cas.adminPagesSecurity.service=https://<my-server-name>:8443/cas/status/dashboard
cas.adminPagesSecurity.users=file:/adminusers.properties
cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
cas.adminPagesSecurity.actuatorEndpointsEnabled=true
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.initFromJson=true
----------------------------------------------------------------
Note: I'm using STS (Spring Tool Suite) IDE, deploying to local Tomcat 8.5.32-x64.
application.properties, cas.properties, and adminusers.properties are housed in src\main\resources project folder, and published to tomcat WEB-INF\classes folder when run from STS.
It works if on same machine accessing via:
and it doesn't even care if I signed in with my admin user id or not (casadmin). Which is not a good thing either, but I can live with it for now.
Thanks for your help,
GTM
Daudt, Carl
Aug 23, 2018, 8:22:56 AM8/23/18
to SBUser, CAS Community, jasig-c...@googlegroups.com, whiz...@gmail.com
I will defer to others, since we are still at v5.2.2
The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt.
Reply all
Reply to author
Forward
0 new messages