Hi there,

it seems to me your properties file location might be wrong. At least, there’s 
no C: in there:
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties<file://etc/cas/config/users.properties>
Maybe you also need windows notation?

Regards
Arnold

Von: cas-user@apereo.org [mailto:cas-user@apereo.org] Im Auftrag von Brian 
Gibson
Gesendet: Mittwoch, 9. August 2017 20:03
An: cas-user@apereo.org
Betreff: [cas-user] Re: Access Denied with CAS Service Management WebApp

To follow up on my last email, I enabled DEBUG mode and noticed in the logs 
where it was denying my access. Here is the snippet. I think it is because the 
"roles" value is empty (in bold below)

2017-08-09 12:28:29,675 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
 - <new profiles: [#CasProfile# | id: my_AD_loginID | attributes: 
{wID=my_AD_loginID, isFromNewLogin=true, 
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York], 
affiliation=staff, authenticationMethod=LdapAuthenticationHandler, 
FullName=my_Full_Name_From_AD, 
successfulAuthenticationHandlers=LdapAuthenticationHandler, 
longTermAuthenticationRequestTokenUsed=false, sn=my_Last_Name_From_AD, 
cn=my_AD_loginID, EmailAddress=my_AD_EmailAddress} | roles: [] | permissions: 
[] | isRemembered: false | clientName: CasClient | linkedId: null |]>

2017-08-09 12:28:29,675 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
 - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>

2017-08-09 12:28:29,691 DEBUG 
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
 - <forbidden>

I thought the c:\etc\cas\config\users.properties file referenced from my 
management.properties file would list me as having the ROLE_ADMIN role?

If it helps, here is the .json file service entry used to allow the management 
app.


{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : 
"https://cas5test.wheatonma.edu/cas-management/.*";<https://cas5test.wheatonma.edu/cas-management/.*>,
  "name" : "CASManagementService",
  "id" : 132457456798678,
  "description" : "Service entry to allow access to the CAS Management App",
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sn" : "sn",
      "cn" : "cn",
      "mail" : "EmailAddress",
      "displayname" : "FullName"
      "sAMAccountName" : "wID"
      "employeeType" : "affiliation"
    }
  },
  "evaluationOrder" : 2
}


Thanks!!!








On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,

Be gentle, I'm a sys admin, not a Java expert ;-)

Running Tomcat 9 on Windows 2012 R2 Server.

Running CAS 5.1.2 using the War Overlay method and I have it authenticating 
against Active Directory and it recognizes services that I define in .json 
files.

I'm trying to get the CAS Services Management Webapp working so I can login 
with my Active Directory credentials. Here is where I am....

1. I go to the /cas-management URL and if I am not already logged into CAS I 
get redirected to the CAS login page (good so far)

2. I log in with my Active Directory credentials and I am greeted with this 
error

CAS Services Management   Access Denied   You are not authorized to access this 
resource. Contact your CAS Administrator for more info.

I put this entry in the c:\etc\cas\config\users.properties file (which is 
referenced below in my management.properties file)

my_AD_loginID=notused,ROLE_ADMIN,enabled

My management.properties file looks like this....

++++++++++++ management.properties +++++++++++++++++++++
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml<file://etc/cas/config/log4j2-management.xml>
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services<file://etc/cas/services>
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties<file://etc/cas/config/users.properties>
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false

Thanks for any advice you can offer :-)

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de.

Reply via email to