Hi there, it seems to me your properties file location might be wrong. At least, there’s no C: in there: cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties<file://etc/cas/config/users.properties> Maybe you also need windows notation?
Regards Arnold Von: [email protected] [mailto:[email protected]] Im Auftrag von Brian Gibson Gesendet: Mittwoch, 9. August 2017 20:03 An: [email protected] Betreff: [cas-user] Re: Access Denied with CAS Service Management WebApp To follow up on my last email, I enabled DEBUG mode and noticed in the logs where it was denying my access. Here is the snippet. I think it is because the "roles" value is empty (in bold below) 2017-08-09 12:28:29,675 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - <new profiles: [#CasProfile# | id: my_AD_loginID | attributes: {wID=my_AD_loginID, isFromNewLogin=true, authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York], affiliation=staff, authenticationMethod=LdapAuthenticationHandler, FullName=my_Full_Name_From_AD, successfulAuthenticationHandlers=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=my_Last_Name_From_AD, cn=my_AD_loginID, EmailAddress=my_AD_EmailAddress} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]> 2017-08-09 12:28:29,675 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer> 2017-08-09 12:28:29,691 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - <forbidden> I thought the c:\etc\cas\config\users.properties file referenced from my management.properties file would list me as having the ROLE_ADMIN role? If it helps, here is the .json file service entry used to allow the management app. { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*";<https://cas5test.wheatonma.edu/cas-management/.*>, "name" : "CASManagementService", "id" : 132457456798678, "description" : "Service entry to allow access to the CAS Management App", "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "sn" : "sn", "cn" : "cn", "mail" : "EmailAddress", "displayname" : "FullName" "sAMAccountName" : "wID" "employeeType" : "affiliation" } }, "evaluationOrder" : 2 } Thanks!!! On 8/9/2017 10:44 AM, Brian Gibson wrote: Hi All, Be gentle, I'm a sys admin, not a Java expert ;-) Running Tomcat 9 on Windows 2012 R2 Server. Running CAS 5.1.2 using the War Overlay method and I have it authenticating against Active Directory and it recognizes services that I define in .json files. I'm trying to get the CAS Services Management Webapp working so I can login with my Active Directory credentials. Here is where I am.... 1. I go to the /cas-management URL and if I am not already logged into CAS I get redirected to the CAS login page (good so far) 2. I log in with my Active Directory credentials and I am greeted with this error CAS Services Management Access Denied You are not authorized to access this resource. Contact your CAS Administrator for more info. I put this entry in the c:\etc\cas\config\users.properties file (which is referenced below in my management.properties file) my_AD_loginID=notused,ROLE_ADMIN,enabled My management.properties file looks like this.... ++++++++++++ management.properties +++++++++++++++++++++ cas.server.name=https://cas5test.wheatonma.edu cas.server.prefix=https://cas5test.wheatonma.edu/cas cas.mgmt.host=${cas.server.name} cas.serviceRegistry.initFromJson=true spring.thymeleaf.mode=HTML logging.config=file:/etc/cas/config/log4j2-management.xml<file://etc/cas/config/log4j2-management.xml> server.port=443 cas.serviceRegistry.config.location:file:/etc/cas/services<file://etc/cas/services> server.contextPath=/cas-management cas.mgmt.adminRoles=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties<file://etc/cas/config/users.properties> cas.mgmt.serverName=https://cas5test.wheatonma.edu cas.mgmt.defaultLocale=en cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user} cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller ldaps://my_2nd_ad_controller cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden cas.mgmt.ldap.bindCredential=hidden cas.mgmt.ldap.useSsl=true cas.mgmt.ldap.useStartTls=false Thanks for any advice you can offer :-) -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de.
