To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it is
because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- <new profiles: [#CasProfile# | id: /my_AD_loginID/ | attributes:
{wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false, sn=/my_Last_Name_From_AD/,
cn=/my_AD_loginID/, EmailAddress=/my_AD_EmailAddress/} | *roles: []* |
permissions: [] | isRemembered: false | clientName: CasClient |
linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- *<forbidden>*
I thought the c:\etc\cas\config\users.properties file referenced from my
management.properties file would list me as having the ROLE_ADMIN role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*";,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I can
login with my Active Directory credentials. Here is where I am....
1. I go to the /cas-management URL and if I am not already logged into
CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted with
this error
/CAS Services Management Access Denied You are not authorized to
access this resource. Contact your CAS Administrator for more info./
I put this entry in the c:\etc\cas\config\users.properties file (which
is referenced below in my management.properties file)
/my_AD_loginID/=notused,ROLE_ADMIN,enabled
My management.properties file looks like this....
++++++++++++ management.properties +++++++++++++++++++++
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu.
