Have you tried setting logging to DEBUG and tracing what's happening? My
initial suspects would be that either (a) CAS is not reading your
adminusers.properties file ("./" makes me nervous, since you don't
necessarily know where "." is) or (b) it's not matching your username
correctly.-- DAVID A. CURRY, CISSP *DIRECTOR • INFORMATION SECURITY & PRIVACY* THE NEW SCHOOL • INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 646 909-4728 • [email protected] On Fri, Jul 19, 2019 at 3:05 PM Anil Kumar Reddy gajulapalli < [email protected]> wrote: > Hello David, > > I am trying to resolve this issue from the last 3 days, nevertheless, I am > lost with no hope. > > 2019-07-19 18:46:47,815 WARN > [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize > access, since the authenticated profile [#CasProfile# | id: > [email protected] | attributes: > {credentialType=UsernamePasswordCredential, > samlAuthenticationStatementAuthMethod=urn:oasis:names:tc:SAML:1.0:am:password, > isFromNewLogin=true, [email protected], > authenticationDate=2019-07-19T18:46:45.197052Z[UTC], > authenticationMethod=Open DJ, givenName=Anil, > successfulAuthenticationHandlers=Open DJ, > longTermAuthenticationRequestTokenUsed=false, [email protected], > title=devOps Engineer} | roles: [] | permissions: [] | isRemembered: false > | clientName: CasClient | linkedId: null |] does not contain any required > roles> > > CAS-Management is taking me to CAS server for Authentication. Once the > Authentication is validated while coming back to Management App, I see the > above error in the Management logs. > > I have adminusers.properties as below: > > [email protected]=notused,ROLE_ADMIN,enabled > Anil=notused,ROLE_ADMIN,enabled > > and management.properties have below details: > > cas.mgmt.adminRoles[0]=ROLE_ADMIN > cas.mgmt.userPropertiesFile=file:./adminusers.properties > > > Can you guide me where am making a mistake? I have referred docs at: > https://dacurry-tns.github.io/deploying-apereo-cas/building_svcmgmt_configure-webapp-properties.html > too. > > On Friday, 23 February 2018 14:48:32 UTC-5, David Curry wrote: >> >> > Someone should pay you for them. >> >> Well, I have to write it up as part of my job anyway; I just decided to >> go a little further and make it available to world+dog. So I do get paid >> for the work. Glad you (and others) are finding them helpful. >> >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • [email protected] >> >> [image: The New School] >> >> On Fri, Feb 23, 2018 at 2:30 PM, Cheltenham, Chris < >> [email protected]> wrote: >> >>> Oh right , you do have good docs. >>> >>> >>> >>> Thanks >>> >>> >>> >>> Someone should pay you for them. >>> >>> >>> >>> >>> >>> =========================== >>> >>> Thank You; >>> >>> Chris Cheltenham >>> Technology Services >>> The School District of Philadelphia >>> >>> Work # 215-400-5025 >>> Cell # 215-301-6571 >>> >>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *David >>> Curry >>> *Sent:* Friday, February 23, 2018 1:48 PM >>> >>> *To:* [email protected] >>> *Subject:* Re: [cas-user] CAS5 management >>> >>> >>> >>> >>> >>> The /status endpoint (but not the endpoints underneath it) is only >>> protected by an IP address pattern. You need to set the >>> cas.adminPagesSecurity.ip property to a regular expression that matches >>> the IP address(es) you want to allow access from. >>> >>> >>> >>> See >>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html#configure-endpoint-security >>> for an example. >>> >>> >>> >>> --Dave >>> >>> >>> >>> >>> -- >>> >>> *DAVID A. CURRY, CISSP* >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>> +1 212 229-5300 x4728 • [email protected] >>> >>> [image: The New School] >>> >>> >>> >>> On Fri, Feb 23, 2018 at 12:33 PM, Cheltenham, Chris < >>> [email protected]> wrote: >>> >>> David, >>> >>> >>> >>> Along the same lines, >>> >>> >>> >>> /cas/status says access denied. >>> >>> >>> >>> Is a different file? >>> >>> >>> >>> >>> >>> =========================== >>> >>> Thank You; >>> >>> Chris Cheltenham >>> Technology Services >>> The School District of Philadelphia >>> >>> Work # 215-400-5025 >>> Cell # 215-301-6571 >>> >>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *David >>> Curry >>> *Sent:* Friday, February 23, 2018 10:52 AM >>> >>> >>> *To:* [email protected] >>> *Subject:* Re: [cas-user] CAS5 management >>> >>> >>> >>> Admin pages is the /status/dashboard stuff (and all the things >>> underneath). The access to that is controlled with a user.properties file >>> as well. >>> >>> >>> >>> The format is what I gave you in the earlier email. So for casuser, it >>> would be >>> >>> >>> >>> casuser=passwordnotused,ROLE_ADMIN >>> >>> >>> >>> or equivalently, >>> >>> >>> >>> casuser=empty,ROLE_ADMIN >>> >>> >>> >>> I should note that the password field (the first field after the "=") is >>> only "not used" if you're using CAS to authenticate access to the >>> management webapp (which I assume you are). >>> >>> >>> >>> --Dave >>> >>> >>> >>> >>> -- >>> >>> *DAVID A. CURRY, CISSP* >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>> +1 212 229-5300 x4728 • [email protected] >>> >>> [image: The New School] >>> >>> >>> >>> On Fri, Feb 23, 2018 at 10:47 AM, Cheltenham, Chris < >>> [email protected]> wrote: >>> >>> David, >>> >>> >>> >>> I honestly don’t know what you mean. >>> >>> >>> >>> What admin pages? >>> >>> >>> >>> And how should this be formatted? >>> >>> >>> >>> casuser=ROLE_ADMIN,enabled >>> >>> >>> >>> >>> >>> >>> >>> =========================== >>> >>> Thank You; >>> >>> Chris Cheltenham >>> Technology Services >>> The School District of Philadelphia >>> >>> Work # 215-400-5025 >>> Cell # 215-301-6571 >>> >>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >>> *David >>> Curry >>> *Sent:* Friday, February 23, 2018 10:33 AM >>> *To:* [email protected] >>> *Subject:* Re: [cas-user] CAS5 management >>> >>> >>> >>> Your users.properties file is not formatted correctly. It's the same >>> format (and in fact can be the same file) as the one for the admin pages: >>> >>> >>> >>> # The syntax for each line is: >>> >>> # >>> >>> # >>> username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] >>> >>> # >>> >>> gnarls=passwordnotused,ROLE_ADMIN >>> >>> >>> >>> The above allows a user named "gnarls" to have access. >>> >>> >>> >>> --Dave >>> >>> >>> >>> >>> -- >>> >>> *DAVID A. CURRY, CISSP* >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>> +1 212 229-5300 x4728 • [email protected] >>> >>> [image: The New School] >>> >>> >>> >>> On Fri, Feb 23, 2018 at 10:28 AM, Cheltenham, Chris < >>> [email protected]> wrote: >>> >>> [image: cid:[email protected]] >>> >>> Hello Everyone, >>> >>> >>> >>> Still having problems with access denied on /cas-management >>> >>> >>> >>> I turned on DEBUG and I see this in the logs. >>> >>> >>> >>> 22T13:22:12.379-05:00[America/New_York], >>> authenticationMethod=Employee-LDAP, >>> successfulAuthenticationHandlers=Employee-LDAP, >>> >>> longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: >>> [] | isRemembered: false | clientName: CasClient | >>> >>> linkedId: null |] does not contain the required role [ROLE_ADMIN] >>> >>> >>> >>> >>> >>> My users.properties files look thusly – >>> >>> casuser=ROLE_ADMIN,<myid> >>> >>> >>> >>> and yes ROLE_ADMIN is stated in the management.properties file. >>> >>> cas.mgmt.adminRoles[0]=ROLE_ADMIN >>> >>> >>> >>> There is a Json file in /etc/cas/services or the users.properties file. >>> >>> >>> >>> That is stated in cas.properties >>> >>> cas.serviceRegistry.config.location=file:/etc/cas/services >>> >>> >>> >>> Is there a way to format the users. Properties file so anyone can use >>> the management portal? >>> >>> >>> >>> >>> >>> >>> >>> =========================== >>> >>> Thank You; >>> >>> Chris Cheltenham >>> Technology Services >>> The School District of Philadelphia >>> >>> Work # 215-400-5025 >>> Cell # 215-301-6571 >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/008301d3acba%24f0e4fe30%24d2aefa90%24%40philasd.org?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOZfm-azTX0TzCFs7AYmY2DkvNLF%2Bv82mJqicSZntatMA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a301d3acbd%249552e2f0%24bff8a8d0%24%40philasd.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a301d3acbd%249552e2f0%24bff8a8d0%24%40philasd.org?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAORN6K6VTdPmUCz_RAtO6%2BsPXoib9gTtFVFMF6W0n5ONQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAORN6K6VTdPmUCz_RAtO6%2BsPXoib9gTtFVFMF6W0n5ONQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00ed01d3accc%246e1b38e0%244a51aaa0%24%40philasd.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00ed01d3accc%246e1b38e0%244a51aaa0%24%40philasd.org?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANb3HKi%3DRsMjsz-cHqk9StXT2%2BiAvKZy9g2_3Zv0HNO-w%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANb3HKi%3DRsMjsz-cHqk9StXT2%2BiAvKZy9g2_3Zv0HNO-w%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/014801d3acdc%24c0a41e00%2441ec5a00%24%40philasd.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/014801d3acdc%24c0a41e00%2441ec5a00%24%40philasd.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a18af49-deb6-40d7-92dd-cebfe49bbdb2%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a18af49-deb6-40d7-92dd-cebfe49bbdb2%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPLZF1H5jwfDsMHHLyZZb-AY04P5m65tf27Pbf1m2wpPg%40mail.gmail.com.
