Hello Ray thanks for your answer so , I added : cas.service-registry.json.location=file:/etc/cas/services
move cas.properties in /etc/cas/config 00:06:00 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]> 2023-07-04 07:06:00,785 INFO [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <Validated CAS property sources and configuration successfully.> 2023-07-04 07:06:00,789 INFO [org.apereo.cas.web.CasWebApplication] - <The following 1 profile is active: "standalone"> but still have 2023-07-04 07:06:30,841 INFO [org.apereo.cas.services.AbstractServicesManager] - <Loaded [0] service(s) from [InMemoryServiceRegistry].> Bests On Mon, Jul 3, 2023 at 10:59 PM Ray Bon <[email protected]> wrote: > Jerome, > > Your test service is not being loaded. > > 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - <Loaded [0] service(s) > from [InMemoryServiceRegistry].> > > See > https://apereo.github.io/cas/6.6.x/services/JSON-Service-Management.html > and https://apereo.github.io/cas/6.6.x/services/Service-Management.html > > Ray > > On Mon, 2023-07-03 at 06:17 -0700, Jerome Denechaud (wanexa) wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hello > > trying to deploy cas server for delegate azure ad auth > I'm working with docker image apereo/cas:latest > I added cas.properties file as below > cas.authn.pac4j.oidc[0].azure.display-name= cas > cas.authn.pac4j.oidc[0].azure.auto-redirect-type= SERVER > cas.authn.pac4j.oidc[0].azure.client-name= cas > cas.authn.pac4j.oidc[0].azure.enabled= true > cas.authn.pac4j.oidc[0].azure.id= xxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.response-mode= form_post > cas.authn.pac4j.oidc[0].azure.response-type= id_token > cas.authn.pac4j.oidc[0].azure.scope= openid > cas.authn.pac4j.oidc[0].azure.secret= xxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.tenant= xxxxxxxxxxxxxx > cas.authn.pac4j.oidc[0].azure.use-nonce= true > cas.authn.pac4j.oidc[0].azure.discovery-uri= > https://login.microsoftonline.com/xxxxxxxxxxxxx/v2.0/.well-known/openid-configuration > cas.authn.pac4j.oidc[0].azure.logout-url= > https://login.microsoftonline.com/common/oauth2/logout > cas.serviceRegistry.json.location: file:/etc/cas/services > > test-1.json > { > "@class" : "org.apereo.cas.services.CasRegisteredService", > "serviceId" : "^(https?)://.*", > "name" : "test", > "id" : 1, > "evaluationOrder" : 1 > } > > on azure side > https://x.x.x.x/cas/login?client_name=AzureClient > public address no dns > > when I'm trying to authenticate on my app portal > 06:10:07 ERROR > [o.a.c.s.w.s.RegisteredServiceResponseHeadersEnforcementFilter] - <Service > unauthorized > > RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$6:200 > Optional.java:orElseGet:364 > RegisteredServiceAccessStrategyAuditableEnforcer.java:execute:194 > > > > switch to debug in log4j but can't find anything more > startup log: > 05:22:12 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated > CAS property sources and configuration successfully.> > 05:22:16 INFO [o.a.c.c.DefaultCasConfigurationPropertiesSourceLocator] - > <Configuration files found at [/etc/cas/config] are [[]] under profile(s) > [[standalone]]> > 05:22:16 INFO [o.a.c.c.CasConfigurationPropertiesValidator] - <Validated > CAS property sources and configuration successfully.> > 05:22:16 INFO [o.a.c.w.CasWebApplication] - <The following 1 profile is > active: "standalone"> > 05:22:29 INFO [o.a.c.c.CasCoreServicesConfiguration] - <Runtime memory is > used as the persistence storage for retrieving and persisting service > definitions. Changes that ar > e made to service definitions during runtime WILL be LOST when the CAS > server is restarted. Ideally for production, you should choose a storage > option (JSON, JDBC, MongoDb, etc > ) to track service definitions.> > 05:22:36 WARN [o.s.b.a.s.s.UserDetailsServiceAutoConfiguration] - < > > Using generated security password: jkljljlk > > This generated password is for development use only. Your security > configuration must be updated before running your application in production. > > > 05:22:37 INFO [o.s.s.w.a.c.ChannelProcessingFilter] - <Validated > configuration attributes> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will secure any > request with > [org.springframework.security.web.access.channel.ChannelProcessingFilter@69069866, > org.sp > > ringframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2f9addd4, > org.springframework.web.filter.CorsFilter@1c43df76, > org.springframework.security.web > .servletapi.SecurityContextHolderAwareRequestFilter@1d7c9811, > org.springframework.security.web.authentication.AnonymousAuthenticationFilter@ff2266c, > org.springframework.securit > y.web.access.ExceptionTranslationFilter@7757a37f, > org.springframework.security.web.access.intercept.AuthorizationFilter@2335aef2 > ]> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/login/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/logout/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/validate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/serviceValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/p3/serviceValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/proxyValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/p3/proxyValidate/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/proxy/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/webjars/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/js/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/css/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/images/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/static/**']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/error']> > 05:22:37 INFO [o.s.s.w.DefaultSecurityFilterChain] - <Will not secure Ant > [pattern='/favicon.ico']> > 05:22:41 INFO [o.a.c.c.CasCoreTicketsConfiguration] - <Runtime memory is > used as the persistence storage for retrieving and managing tickets. > Tickets that are issued during > runtime will be LOST when the web server is restarted. This MAY impact > SSO functionality.> > 05:22:41 INFO [o.a.c.u.CoreTicketUtils] - <Ticket registry > encryption/signing is turned off. This MAY NOT be safe in a clustered > production environment. Consider using othe > r choices to handle encryption, signing and verification of ticket > registry tickets, and verify the chosen ticket registry does support this > behavior.> > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for > encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to > auto-generate the encryptio > n key> > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated encryption > key [jklhkjjk] of size [256] for [Ticket-granting Cookie]. The > generated key MUST be added to CAS settings: > > cas.tgc.crypto.encryption.key=jklhkjjk > > > > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Secret key for > signing is not defined for [Ticket-granting Cookie]. CAS will attempt to > auto-generate the signing key> > > 05:22:43 WARN [o.a.c.u.c.BaseStringCipherExecutor] - <Generated signing > key > [oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA] > of size > [512] for [Ticket-granting Cookie]. The generated key MUST be added to > CAS settings: > > > cas.tgc.crypto.signing.key=oQ30Tk3YNd_mYgu7um3kuIUFzPamDVkfSjdDVaEvhW6Wh1YhgqRNgwoYHh5eSJhyc8sTin7naLdaob4UARLseA > > > > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for > signing is not defined under [cas.webflow.crypto.signing.key]. CAS will > attempt to auto-generate the si > gning key> > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated signing > key > [gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q] > of size > [512]. The generated key MUST be added to CAS settings: > > > cas.webflow.crypto.signing.key=gBCy5m2niOKZMNmLE-_yVJFhBRK2mCw1diQZHcr16CRqAs7aMUxyLHo-zYWyFizksC_JVaq7tLjYw0SYlW9s5Q > > > > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Secret key for > encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS > will attempt to auto-generate > the encryption key> > 05:22:43 WARN [o.a.c.u.c.BaseBinaryCipherExecutor] - <Generated encryption > key [knHc-h7pqGrVVLbZYNXiuA] of size [16]. The generated key MUST be added > to CAS settings: > > cas.webflow.crypto.encryption.key=knHc-h7pqGrVVLbZYNXiuA > > > > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <> > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - < > > > ____ _____ ___ ____ _ > / ___|_ _/ _ \| _ \| | > \___ \ | || | | | |_) | | > ___) || || |_| | __/|_| > |____/ |_| \___/|_| (_) > > > CAS is configured to accept a static list of credentials for > authentication. While this is generally useful for demo purposes, it is > STRONGLY recommended that you DISABLE this > authentication method by setting 'cas.authn.accept.enabled=false' and > switch to a mode that is more suitable for production.> > 05:22:45 WARN > [o.a.c.c.s.a.AcceptUsersAuthenticationEventExecutionPlanConfiguration] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplication] - <Started CasWebApplication in > 33.514 seconds (JVM running for 37.949)> > 05:22:45 INFO [o.a.c.s.AbstractServicesManager] - <Loaded [0] service(s) > from [InMemoryServiceRegistry].> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - < > > > ____ _____ _ ______ __ > | _ \| ____| / \ | _ \ \ / / > | |_) | _| / _ \ | | | \ V / > | _ <| |___ / ___ \| |_| || | > |_| \_\_____/_/ \_\____/ |_| > > > > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <> > 05:22:45 INFO [o.a.c.w.CasWebApplicationReady] - <Ready to process > requests @ [2023-07-03T12:22:45.529Z]> > 05:23:15 INFO [o.a.c.t.r.DefaultTicketRegistryCleaner] - <[0] expired > tickets removed.> > 05:23:40 INFO [o.a.i.a.s.Slf4jLoggingAuditTrailManager] - <Audit trail > record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: {result=Service Access Denied, service=https://xxx.com/login.php} > ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED > APPLICATION: CAS > WHEN: Mon Jul 03 12:23:40 UTC 2023 > CLIENT IP ADDRESS: x.x.x.x > SERVER IP ADDRESS: x.x.x.x > ============================================================= > > > > > Any help please ? > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/Jfk3gFG1bgU/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b7f4f358afc5c8864760c17be117f0a50c4278a.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b7f4f358afc5c8864760c17be117f0a50c4278a.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADC4zwz72o%2BD7Bw%2ByrZS%3Dj5k3m%3D03Hnn6jiVxfuR5rLJFBxEYA%40mail.gmail.com.
