At least in CAS 5.[1-3].x, the /status endpoint itself is secured by the IP
address pattern (and nothing else). It's a Java regular expression, so you
can get pretty fancy with it, though. We use something like this:
cas.adminPagesSecurity.ip:
^192\\.168\\.(1\\.[0-9]{1,3}|2\\.1[45]|3\\.1[56])$
which permits access from any host on the 192.168.1 subnet, two hosts on
the 192.168.2 subnet (.14 and .15), and two hosts on the 192.168.3 subnets
(.15 and .16).
That's the "IT staff" subnet (.1), and the "inside side" of the load
balancers (the production ones on .2, and the test ones on .3). The load
balancers are there so they can hit /status to check that the server is up
(we use a pool).
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR • INFORMATION SECURITY & PRIVACY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • [email protected]
On Tue, Oct 29, 2019 at 12:29 AM Sam Erie <[email protected]> wrote:
> Thank you very much, that did the trick. Your site is a huge help, very
> nice to have clear examples and explanations. The only thing I am still not
> sure about is how to secure the /status endpoint.
>
> On Fri, Oct 25, 2019 at 3:45 AM David Curry <[email protected]>
> wrote:
>
>> At first blush it looks like your cas.properties property names are
>> wrong; there might be other things too that you didn't happen to quote.
>> Here's a step-by-step for enabling them all, if you find it helpful:
>>
>>
>> https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html
>>
>>
>> --Dave
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR • INFORMATION SECURITY & PRIVACY*
>> THE NEW SCHOOL • INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> +1 646 909-4728 • [email protected]
>>
>>
>> On Fri, Oct 25, 2019 at 1:09 AM Sam Erie <[email protected]> wrote:
>>
>>> I have been struggling to get access to development CAS v5.2.4 status
>>> endpoints. I was unable to get them unsecured and went on to add Spring
>>> Security with master user, who it is correctly validating, but somehow my
>>> IP is still not authorized. Following are relevant properties and logs. I'm
>>> confused by the fact that it should be matching any IP with .+ yet it still
>>> says Unauthorized IP address. Any help would be much appreciated.
>>>
>>>
>>> endpoints.status.enabled=true
>>> endpoints.status.sensitive=false
>>> endpoints.dashboard.enabled=true
>>> endpoints.dashboard.sensitive=false
>>> cas.adminPagesSecurity.ip=.+
>>> security.user.name=admin
>>> security.user.password=admin
>>>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <===
>>> SECURITY ===>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <url:
>>> https://sanitized/cas/status>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <matchers: null>
>>>
>>> 2019-10-23 21:58:11,093 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <clients: IpClient>
>>>
>>> 2019-10-23 21:58:11,094 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <currentClients: [
>>> #IpClient# | name: IpClient | credentialsExtractor: null | authenticator:
>>> IpRegexpAuthenticator[.+ ]
>>>
>>> | profileCreator:
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>> | authorizationGenerators: [] |]>
>>>
>>> 2019-10-23 21:58:11,095 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <loadProfilesFromSession: false>
>>>
>>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <profiles: []>
>>>
>>> 2019-10-23 21:58:11,110 DEBUG [org.pac4j.core.engine.DefaultSecurityLogic]
>>> - <Performing authentication for direct client:
>>> #IpClient# | name: IpClient | credentialsExtractor: null | authenticator:
>>> IpRegexpAuthenticator[.+ ]
>>>
>>> | profileCreator:
>>> org.pac4j.core.profile.creator.AuthenticatorProfileCreator@290e9599
>>> | authorizationGenerators: [] |>
>>>
>>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] -
>>> <Credentials validation took: 14 ms>
>>>
>>> 2019-10-23 21:58:11,126 INFO [org.pac4j.http.client.direct.IpClient] -
>>> <Failed to retrieve or validate credentials: Unauthorized IP address:
>>> 172.21.96.74>
>>>
>>> 2019-10-23 21:58:11,126 DEBUG [org.pac4j.http.client.direct.IpClient] -
>>> <Failed to retrieve or validate credentials>
>>>
>>> org.pac4j.core.exception.CredentialsException: Unauthorized IP address:
>>> 172.21.96.74
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLYuO2dihVM96XAKC-EXEJBjMqyYhqau1jHMBwHJ9Bncw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP6HfJqfdVtX2J639vo7XnMHY_vwGaFqyp0Z7OLYqs%3DSA%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAP6HfJqfdVtX2J639vo7XnMHY_vwGaFqyp0Z7OLYqs%3DSA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLvRdUREtvdmYROA9NkA%3DQYne8Htv0%2Bm6SZ8XHXbfcUkA%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMM6z%2BLvRdUREtvdmYROA9NkA%3DQYne8Htv0%2Bm6SZ8XHXbfcUkA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPD2CARPNAdjP49D%2B9%3D-1z5Ts1rFCnV6Mk-KTo6_7Hjew%40mail.gmail.com.
