Hi Arnold,
Thank you very much for the suggestion. I confirmed that CAS is finding
the properties file by changing the filename to something bogus, when I
do that the deployment of the war file crashes because it says it cannot
find the file.
I believe CAS is successfully finding the file, it is just not
processing it correctly (as far as I can tell). I'm getting around this
by setting the "cas.mgmt.adminRoles" option to nothing (instead of the
suggested "ROLE_ADMIN" value). Doing so (I believe) makes it so /anyone
/who logs in can access the service management web app. I am getting
around that by adding an accessStrategy section to the .json file that
controls access to that service, inside there I am using the following
requiredAttributes to restrict access to my Active Directory loginID
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"cn" : [ "java.util.HashSet", [ "bgibson" ] ],
}
},
On 8/10/2017 3:24 AM, Bergner, Arnold wrote:
Hi there,
it seems to me your properties file location might be wrong. At least,
there’s no C: in there:
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
<file://etc/cas/config/users.properties>
Maybe you also need windows notation?
Regards
Arnold
*Von:*[email protected] [mailto:[email protected]] *Im Auftrag von
*Brian Gibson
*Gesendet:* Mittwoch, 9. August 2017 20:03
*An:* [email protected]
*Betreff:* [cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it
is because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- <new profiles: [#CasProfile# | id: /my_AD_loginID/ | attributes:
{wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false,
sn=/my_Last_Name_From_AD/, cn=/my_AD_loginID/,
EmailAddress=/my_AD_EmailAddress/} | *roles: []* | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer>
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- *<forbidden>*
I thought the c:\etc\cas\config\users.properties file referenced from
my management.properties file would list me as having the ROLE_ADMIN
role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*";
<https://cas5test.wheatonma.edu/cas-management/.*>,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I
can login with my Active Directory credentials. Here is where I am....
1. I go to the /cas-management URL and if I am not already logged
into CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted
with this error
/CAS Services Management Access Denied You are not authorized
to access this resource. Contact your CAS Administrator for more
info./
I put this entry in the c:\etc\cas\config\users.properties file
(which is referenced below in my management.properties file)
/my_AD_loginID/=notused,ROLE_ADMIN,enabled
My management.properties file looks like this....
++++++++++++ management.properties +++++++++++++++++++++
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
<file://etc/cas/config/log4j2-management.xml>
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
<file://etc/cas/services>
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
<file://etc/cas/config/users.properties>
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
<https://apereo.github.io/cas/Mailing-Lists.html>
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu?utm_medium=email&utm_source=footer>.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d5c7d10b0e4cf799df56b535323f4e%40hrz.tu-darmstadt.de?utm_medium=email&utm_source=footer>.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d7cc2938-8d5b-82a3-69df-4266a02776dd%40wheatoncollege.edu.
