Hello David, I am trying to resolve this issue from the last 3 days, nevertheless, I am lost with no hope.
2019-07-19 18:46:47,815 WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize access, since the authenticated profile [#CasProfile# | id: [email protected] | attributes: {credentialType=UsernamePasswordCredential, samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password, isFromNewLogin=true, [email protected], authenticationDate=2019-07-19T18:46:45.197052Z[UTC], authenticationMethod=Open DJ, givenName=Anil, successfulAuthenticationHandlers=Open DJ, longTermAuthenticationRequestTokenUsed=false, [email protected], title=devOps Engineer} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |] does not contain any required roles> CAS-Management is taking me to CAS server for Authentication. Once the Authentication is validated while coming back to Management App, I see the above error in the Management logs. I have adminusers.properties as below: [email protected]=notused,ROLE_ADMIN,enabled Anil=notused,ROLE_ADMIN,enabled and management.properties have below details: cas.mgmt.adminRoles[0]=ROLE_ADMIN cas.mgmt.userPropertiesFile=file:./adminusers.properties Can you guide me where am making a mistake? I have referred docs at: https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_configure-webapp-properties.html too. On Friday, 23 February 2018 14:48:32 UTC-5, David Curry wrote: > > > Someone should pay you for them. > > Well, I have to write it up as part of my job anyway; I just decided to go > a little further and make it available to world+dog. So I do get paid for > the work. Glad you (and others) are finding them helpful. > > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • [email protected] <javascript:> > > [image: The New School] > > On Fri, Feb 23, 2018 at 2:30 PM, Cheltenham, Chris <[email protected] > <javascript:>> wrote: > >> Oh right , you do have good docs. >> >> >> >> Thanks >> >> >> >> Someone should pay you for them. >> >> >> >> >> >> =========================== >> >> Thank You; >> >> Chris Cheltenham >> Technology Services >> The School District of Philadelphia >> >> Work # 215-400-5025 >> Cell # 215-301-6571 >> >> *From:* [email protected] <javascript:> [mailto:[email protected] >> <javascript:>] *On Behalf Of *David Curry >> *Sent:* Friday, February 23, 2018 1:48 PM >> >> *To:* [email protected] <javascript:> >> *Subject:* Re: [cas-user] CAS5 management >> >> >> >> >> >> The /status endpoint (but not the endpoints underneath it) is only >> protected by an IP address pattern. You need to set the >> cas.adminPagesSecurity.ip property to a regular expression that matches >> the IP address(es) you want to allow access from. >> >> >> >> See >> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html#configure-endpoint-security >> >> for an example. >> >> >> >> --Dave >> >> >> >> >> -- >> >> *DAVID A. CURRY, CISSP* >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • [email protected] <javascript:> >> >> [image: The New School] >> >> >> >> On Fri, Feb 23, 2018 at 12:33 PM, Cheltenham, Chris < >> [email protected] <javascript:>> wrote: >> >> David, >> >> >> >> Along the same lines, >> >> >> >> /cas/status says access denied. >> >> >> >> Is a different file? >> >> >> >> >> >> =========================== >> >> Thank You; >> >> Chris Cheltenham >> Technology Services >> The School District of Philadelphia >> >> Work # 215-400-5025 >> Cell # 215-301-6571 >> >> *From:* [email protected] <javascript:> [mailto:[email protected] >> <javascript:>] *On Behalf Of *David Curry >> *Sent:* Friday, February 23, 2018 10:52 AM >> >> >> *To:* [email protected] <javascript:> >> *Subject:* Re: [cas-user] CAS5 management >> >> >> >> Admin pages is the /status/dashboard stuff (and all the things >> underneath). The access to that is controlled with a user.properties file >> as well. >> >> >> >> The format is what I gave you in the earlier email. So for casuser, it >> would be >> >> >> >> casuser=passwordnotused,ROLE_ADMIN >> >> >> >> or equivalently, >> >> >> >> casuser=empty,ROLE_ADMIN >> >> >> >> I should note that the password field (the first field after the "=") is >> only "not used" if you're using CAS to authenticate access to the >> management webapp (which I assume you are). >> >> >> >> --Dave >> >> >> >> >> -- >> >> *DAVID A. CURRY, CISSP* >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • [email protected] <javascript:> >> >> [image: The New School] >> >> >> >> On Fri, Feb 23, 2018 at 10:47 AM, Cheltenham, Chris < >> [email protected] <javascript:>> wrote: >> >> David, >> >> >> >> I honestly don’t know what you mean. >> >> >> >> What admin pages? >> >> >> >> And how should this be formatted? >> >> >> >> casuser=ROLE_ADMIN,enabled >> >> >> >> >> >> >> >> =========================== >> >> Thank You; >> >> Chris Cheltenham >> Technology Services >> The School District of Philadelphia >> >> Work # 215-400-5025 >> Cell # 215-301-6571 >> >> *From:* [email protected] <javascript:> [mailto:[email protected] >> <javascript:>] *On Behalf Of *David Curry >> *Sent:* Friday, February 23, 2018 10:33 AM >> *To:* [email protected] <javascript:> >> *Subject:* Re: [cas-user] CAS5 management >> >> >> >> Your users.properties file is not formatted correctly. It's the same >> format (and in fact can be the same file) as the one for the admin pages: >> >> >> >> # The syntax for each line is: >> >> # >> >> # username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] >> >> # >> >> gnarls=passwordnotused,ROLE_ADMIN >> >> >> >> The above allows a user named "gnarls" to have access. >> >> >> >> --Dave >> >> >> >> >> -- >> >> *DAVID A. CURRY, CISSP* >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • [email protected] <javascript:> >> >> [image: The New School] >> >> >> >> On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris < >> [email protected] <javascript:>> wrote: >> >> [image: cid:[email protected]] >> >> Hello Everyone, >> >> >> >> Still having problems with access denied on /cas-management >> >> >> >> I turned on DEBUG and I see this in the logs. >> >> >> >> 22T13:22:12.379-05:00[America/New_York], >> authenticationMethod=Employee-LDAP, >> successfulAuthenticationHandlers=Employee-LDAP, >> >> longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: >> [] | isRemembered: false | clientName: CasClient | >> >> linkedId: null |] does not contain the required role [ROLE_ADMIN] >> >> >> >> >> >> My users.properties files look thusly – >> >> casuser=ROLE_ADMIN,<myid> >> >> >> >> and yes ROLE_ADMIN is stated in the management.properties file. >> >> cas.mgmt.adminRoles[0]=ROLE_ADMIN >> >> >> >> There is a Json file in /etc/cas/services or the users.properties file. >> >> >> >> That is stated in cas.properties >> >> cas.serviceRegistry.config.location=file:/etc/cas/services >> >> >> >> Is there a way to format the users. Properties file so anyone can use the >> management portal? >> >> >> >> >> >> >> >> =========================== >> >> Thank You; >> >> Chris Cheltenham >> Technology Services >> The School District of Philadelphia >> >> Work # 215-400-5025 >> Cell # 215-301-6571 >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer> >> . >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a301d3acbd%249552e2f0%24bff8a8d0%24%40philasd.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a301d3acbd%249552e2f0%24bff8a8d0%24%40philasd.org?utm_medium=email&utm_source=footer> >> . >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAORN6K6VTdPmUCz_RAtO6%2BsPXoib9gTtFVFMF6W0n5ONQ%40mail.gmail.com >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAORN6K6VTdPmUCz_RAtO6%2BsPXoib9gTtFVFMF6W0n5ONQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00ed01d3accc%246e1b38e0%244a51aaa0%24%40philasd.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00ed01d3accc%246e1b38e0%244a51aaa0%24%40philasd.org?utm_medium=email&utm_source=footer> >> . >> >> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANb3HKi%3DRsMjsz-cHqk9StXT2%2BiAvKZy9g2_3Zv0HNO-w%40mail.gmail.com >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANb3HKi%3DRsMjsz-cHqk9StXT2%2BiAvKZy9g2_3Zv0HNO-w%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/014801d3acdc%24c0a41e00%2441ec5a00%24%40philasd.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/014801d3acdc%24c0a41e00%2441ec5a00%24%40philasd.org?utm_medium=email&utm_source=footer> >> . >> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a18af49-deb6-40d7-92dd-cebfe49bbdb2%40apereo.org.
