Hi Arnold,

Thank you very much for the suggestion. I confirmed that CAS is finding the properties file by changing the filename to something bogus, when I do that the deployment of the war file crashes because it says it cannot find the file. I believe CAS is successfully finding the file, it is just not processing it correctly (as far as I can tell). I'm getting around this by setting the "cas.mgmt.adminRoles" option to nothing (instead of the suggested "ROLE_ADMIN" value). Doing so (I believe) makes it so /anyone /who logs in can access the service management web app. I am getting around that by adding an accessStrategy section to the .json file that controls access to that service, inside there I am using the following requiredAttributes to restrict access to my Active Directory loginID

 "accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true,
    "requiredAttributes" : {
      "@class" : "java.util.HashMap",
      "cn" : [ "java.util.HashSet", [ "bgibson" ] ],
    }
  },





On 8/10/2017 3:24 AM, Bergner, Arnold wrote:

Hi there,

it seems to me your properties file location might be wrong. At least, there’s no C: in there:

cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties <file://etc/cas/config/users.properties>

Maybe you also need windows notation?

Regards

Arnold

*Von:*cas-user@apereo.org [mailto:cas-user@apereo.org] *Im Auftrag von *Brian Gibson
*Gesendet:* Mittwoch, 9. August 2017 20:03
*An:* cas-user@apereo.org
*Betreff:* [cas-user] Re: Access Denied with CAS Service Management WebApp

To follow up on my last email, I enabled DEBUG mode and noticed in the logs where it was denying my access. Here is the snippet. I think it is because the "roles" value is empty (in bold below)

2017-08-09 12:28:29,675 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - <new profiles: [#CasProfile# | id: /my_AD_loginID/ | attributes: {wID=/my_AD_loginID/, isFromNewLogin=true, authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York], affiliation=staff, authenticationMethod=LdapAuthenticationHandler, FullName=/my_Full_Name_From_AD/, successfulAuthenticationHandlers=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=/my_Last_Name_From_AD/, cn=/my_AD_loginID/, EmailAddress=/my_AD_EmailAddress/} | *roles: []* | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]>

2017-08-09 12:28:29,675 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>

2017-08-09 12:28:29,691 DEBUG [org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic] - *<forbidden>*

I thought the c:\etc\cas\config\users.properties file referenced from my management.properties file would list me as having the ROLE_ADMIN role?

If it helps, here is the .json file service entry used to allow the management app.


{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*"; <https://cas5test.wheatonma.edu/cas-management/.*>,
  "name" : "CASManagementService",
  "id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management App",
  "attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
    "allowedAttributes" : {
      "@class" : "java.util.TreeMap",
      "sn" : "sn",
      "cn" : "cn",
      "mail" : "EmailAddress",
      "displayname" : "FullName"
      "sAMAccountName" : "wID"
      "employeeType" : "affiliation"
    }
  },
  "evaluationOrder" : 2
}


Thanks!!!








On 8/9/2017 10:44 AM, Brian Gibson wrote:

    Hi All,

    Be gentle, I'm a sys admin, not a Java expert ;-)

    Running Tomcat 9 on Windows 2012 R2 Server.

    Running CAS 5.1.2 using the War Overlay method and I have it
    authenticating against Active Directory and it recognizes services
    that I define in .json files.

    I'm trying to get the CAS Services Management Webapp working so I
    can login with my Active Directory credentials. Here is where I am....

    1. I go to the /cas-management URL and if I am not already logged
    into CAS I get redirected to the CAS login page (good so far)

    2. I log in with my Active Directory credentials and I am greeted
    with this error

    /CAS Services Management   Access Denied   You are not authorized
    to access this resource. Contact your CAS Administrator for more
    info./

    I put this entry in the c:\etc\cas\config\users.properties file
    (which is referenced below in my management.properties file)

    /my_AD_loginID/=notused,ROLE_ADMIN,enabled

    My management.properties file looks like this....

    ++++++++++++ management.properties +++++++++++++++++++++
    cas.server.name=https://cas5test.wheatonma.edu
    cas.server.prefix=https://cas5test.wheatonma.edu/cas
    cas.mgmt.host=${cas.server.name}
    cas.serviceRegistry.initFromJson=true
    spring.thymeleaf.mode=HTML
    logging.config=file:/etc/cas/config/log4j2-management.xml
    <file://etc/cas/config/log4j2-management.xml>
    server.port=443
    cas.serviceRegistry.config.location:file:/etc/cas/services
    <file://etc/cas/services>
    server.contextPath=/cas-management
    cas.mgmt.adminRoles=ROLE_ADMIN
    cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
    <file://etc/cas/config/users.properties>
    cas.mgmt.serverName=https://cas5test.wheatonma.edu
    cas.mgmt.defaultLocale=en
    cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
    cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
    cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
    ldaps://my_2nd_ad_controller
    cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
    cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
    cas.mgmt.ldap.bindCredential=hidden
    cas.mgmt.ldap.useSsl=true
    cas.mgmt.ldap.useStartTls=false

    Thanks for any advice you can offer :-)

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html <https://apereo.github.io/cas/Mailing-Lists.html>
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu <https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de?utm_medium=email&utm_source=footer>.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7cc2938-8d5b-82a3-69df-4266a02776dd%40wheatoncollege.edu.

Reply via email to