I will defer to others, since we are still at v5.2.2
From: SBUser [mailto:[email protected]] Sent: Wednesday, August 22, 2018 3:28 PM To: CAS Community <[email protected]> Cc: [email protected]; Daudt, Carl <[email protected]>; [email protected] Subject: Re: [cas-user] Re: How do I enable /status (admin monitoring) page with CAS 5.1.0? Have any of you guys able to set this up using CAS v 5.3.2? I have tried everything document in this post and elsewhere for couple day to no avail. Specifically, I'm getting "Access Denied" while trying to access https://<my-server-name>:8443/cas/status/dashboard<https://%3cmy-server-name%3e:8443/cas/status/dashboard> after successfully signing in with ROLE_ADMIN user id from one single IP address of my second machine (IP: xxx.xxx.x.xxx) -------------- application.properties ------------------- cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.adminPagesSecurity.ip=127\.0\.0\.1|xxx\.xxx\.x\.xxx endpoints.restart.enabled=false endpoints.shutdown.enabled=false management.security.enabled=true management.security.roles=ACTUATOR,ROLE_ADMIN management.security.sessions=if_required management.context-path=/status management.add-application-context-header=false . . . cas.authn.accept.users=casadmin::<my-password> ---------------------------------------------------------------- ------------- adminusers.properties ------------------- casadmin=notused,ROLE_ADMIN ---------------------------------------------------------------- ------------------- cas.properties ------------------------ cas.adminPagesSecurity.loginUrl=https://<my-server-name>:8443/cas/login cas.adminPagesSecurity.service=https://<my-server-name>:8443/cas/status/dashboard cas.adminPagesSecurity.users=file:/adminusers.properties cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN cas.adminPagesSecurity.actuatorEndpointsEnabled=true cas.serviceRegistry.watcherEnabled=true cas.serviceRegistry.initFromJson=true ---------------------------------------------------------------- Note: I'm using STS (Spring Tool Suite) IDE, deploying to local Tomcat 8.5.32-x64. application.properties, cas.properties, and adminusers.properties are housed in src\main\resources project folder, and published to tomcat WEB-INF\classes folder when run from STS. It works if on same machine accessing via: http://localhost:8080/cas/status/dashboard https://localhost:8443/cas/status/dashboard and it doesn't even care if I signed in with my admin user id or not (casadmin). Which is not a good thing either, but I can live with it for now. Thanks for your help, GTM On Thursday, June 29, 2017 at 2:12:03 PM UTC-4, Julien Whizz wrote: Here : https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#spring-boot-endpoints When i try to install Endpoint :) # casuser: This is the authenticated user id received from CAS # notused: This is the password field that isn’t used by CAS. You could literally put any value you want in its place. # ROLE_ADMIN: Role assigned to the authorized user, which is then cross checked against CAS configuration. # exemple : casuser=notused,ROLE_ADMIN myuser=notused,ROLE_ADMIN Le mercredi 28 juin 2017 23:16:35 UTC+2, crdaudt a écrit : Thanks Julien. With your suggested change, /staus/dashboard is now working for me. I changed my entry for adminusers.properties to 'crdaudt=pwdnotuse,ROLE_ADMIN' (i.e., as you suggested). I changed the value of cas.adminPagesSecurity.ip to allow the ip address ranges of 10.11.12.0/24<http://10.11.12.0/24> and 14.15.16.0/24<http://14.15.16.0/24> as follows: cas.adminPagesSecurity.ip=^10\.11\.12\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^14\.15\.16\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ My other parameters are as listed above. One further question: What does '=pwdnotuse' mean? Is this documented somewhere? Other than that, my issue is resolved. Thanks all! p.s. -- looking forward to more complete, updated documentation some day, and perhaps some more examples. Thanks for everyone's good hard work. On Wednesday, June 28, 2017 at 3:36:16 PM UTC-4, Julien Whizz wrote: Hi, I think IS : crdaudt=pwdnotuse,ROLE_ADMIN No ? Le 28 juin 2017 5:49 PM, "crdaudt" <[email protected]<mailto:[email protected]>> a écrit : Thanks Iain. I have this working now for only filtering with IP addresses. For those interested, I have the following in my cas.properties file: ----BEGIN snippet from cas.properties---- ... cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17 ----END---- However, to pick up on Julien's issue, I am not able to get this working if I further restrict this to users logged in who are specified as authorized users in my adminusers.properties file. Here is what I have: ----BEGIN snippet from cas.properties---- ... cas.monitor.endpoints.enabled=true cas.monitor.endpoints.sensitive=false cas.adminPagesSecurity.ip=10\.11\.12\.13\|14\.15\.16\.17 cas.adminPagesSecurity.loginUrl=https://my.test.cas.server/cas/login cas.adminPagesSecurity.service=https://my.test.cas.server/cas/status/dashboard cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN cas.adminPagesSecurity.actuatorEndpointsEnabled=true cas.serviceRegistry.watcherEnabled=true cas.serviceRegistry.initFromJson=true ----END---- And here are the contents of my adminusers.properties file (for now, I only have my username listed): ----BEGIN adminusers.properties---- user=crdaudt,ROLE_ADMIN ----END---- My results are as follows: --When I visit https://my.test.cas.server/cas/status/dashboard, I am redirected to login. --When I log in, my logs show the following: ----BEGIN log snippet---- > 2017-06-28 11:42:01,961 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: crdaudt WHAT: TGT-**********************************************kloPuBba1M-my.test.cas.server ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Wed Jun 28 11:42:01 EDT 2017 CLIENT IP ADDRESS: 10.11.12.13 SERVER IP ADDRESS: 10.10.10.100 ============================================================= > 2017-06-28 11:42:02,001 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: crdaudt WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server for https://my.test.cas.server/cas/status/dashboard ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Jun 28 11:42:02 EDT 2017 CLIENT IP ADDRESS: 10.11.12.13 SERVER IP ADDRESS: 10.10.10.100 ============================================================= > 2017-06-28 11:42:02,206 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: crdaudt WHAT: ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Wed Jun 28 11:42:02 EDT 2017 CLIENT IP ADDRESS: 10.11.12.13 SERVER IP ADDRESS: 10.10.10.100 ============================================================= ----END---- I am then redirected to https://my.test.cas.server/cas/status/dashboard?ticket=ST-1-Fe5a6Ieo3IMaPI2FScWC-my.test.cas.server, and informed that: "YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!". Any suggestions? On Tuesday, June 27, 2017 at 2:19:58 PM UTC-4, Iain Workman wrote: The cas.adminPagesSecurity.ip setting is interpreted as a regex which the sending ip of the request is matched against. If you can form a regex which will match only the required ips that will work. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e315e2f4-4290-46d9-8680-29b7f5f62e10%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/e315e2f4-4290-46d9-8680-29b7f5f62e10%40apereo.org?utm_medium=email&utm_source=footer>. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f2ce34f-8a54-4a2b-91a4-54aa1d6a2606%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/3f2ce34f-8a54-4a2b-91a4-54aa1d6a2606%40apereo.org?utm_medium=email&utm_source=footer>. The information in this communication is intended solely for the individual or entity to whom it is addressed. It may contain confidential or legally privileged information. If you are not the intended recipient, any disclosure, copying, distribution or reliance on the contents of this information is strictly prohibited, and may be unlawful. If you have received this communication in error, please notify us immediately by responding to the sender of this email, and then delete it from your system. Taylor University is not liable for the inaccurate or improper transmission of the information contained in this communication or for any delay in its receipt. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1b3784530f05452eae84a0194c842e94%40taylor.edu.
