I modified our install to look in ldap for authn
Have not had the time to put in a pull request. But the authn piece really
should support any backend the main cas authn supports.
Ray
CasPalantirWebMvcConfiguration.java
package org.apereo.cas.config;
import ca.uvic.idm.cas.configuration.UvicConfigurationProperties;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.palantir.PalantirConstants;
import org.apereo.cas.palantir.controller.DashboardController;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.apereo.cas.web.flow.CasWebflowConstants;
import lombok.val;
import
org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver;
import
org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import
org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import
org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import jakarta.annotation.Nonnull;
/**
* This is {@link CasPalantirWebMvcConfiguration}.
*
* @author Misagh Moayyed
* @since 7.1.0
*/
@EnableConfigurationProperties({CasConfigurationProperties.class,
UvicConfigurationProperties.class})
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.Palantir)
@Configuration(value = "CasPalantirWebMvcConfiguration", proxyBeanMethods =
false)
@Slf4j
class CasPalantirWebMvcConfiguration {
@Bean
@ConditionalOnMissingBean(name = "palantirDashboardController")
public DashboardController palantirDashboardController(
final ConfigurableApplicationContext applicationContext,
final EndpointLinksResolver endpointLinksResolver,
final WebEndpointProperties webEndpointProperties,
final CasConfigurationProperties casProperties) {
return new DashboardController(casProperties, endpointLinksResolver,
webEndpointProperties, applicationContext);
}
@Bean
@ConditionalOnMissingBean(name = "palantirWebMvcConfigurer")
public WebMvcConfigurer palantirWebMvcConfigurer(final
CasConfigurationProperties casProperties) {
return new WebMvcConfigurer() {
@Override
public void addViewControllers(@Nonnull final
ViewControllerRegistry registry) {
registry.addViewController(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
.setViewName(CasWebflowConstants.VIEW_ID_ENDPOINT_ADMIN_LOGIN_VIEW);
}
};
}
@Bean
@ConditionalOnMissingBean(name = "palantirEndpointWebSecurityConfigurer")
public CasWebSecurityConfigurer<HttpSecurity>
palantirEndpointWebSecurityConfigurer(final ConfigurableApplicationContext
applicationContext, final CasConfigurationProperties casProperties) {
return new CasWebSecurityConfigurer<>() {
@Override
public CasWebSecurityConfigurer<HttpSecurity> finish(final
HttpSecurity http) throws Exception {
val successHandler = new
SavedRequestAwareAuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("redirectTo");
successHandler.setDefaultTargetUrl(PalantirConstants.URL_PATH_PALANTIR);
http.authorizeHttpRequests(customizer -> customizer
.requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PalantirConstants.URL_PATH_PALANTIR
+ "/**")).authenticated()
)
.formLogin(customizer ->
customizer.loginPage(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN)
.permitAll().successHandler(successHandler));
val ldap = casProperties.getMonitor().getEndpoints().getLdap();
if (StringUtils.isNotBlank(ldap.getLdapUrl()) &&
StringUtils.isNotBlank(ldap.getSearchFilter())) {
LOGGER.trace("palantirEndpointCasSecurityConfigurer:
Palantir should use ldap");
try {
return
applicationContext.getBean("ldapHttpWebSecurityConfigurer",
CasWebSecurityConfigurer.class)
.configure(http);
} catch (org.springframework.beans.BeansException e) {
// assume ldap login turned off
LOGGER.debug("BeansException");
}
} else {
LOGGER.trace("palantirEndpointCasSecurityConfigurer:
Palantir use default authn");
}
return this;
}
};
}
}
monitor:
endpoints:
ldap:
base-dn: ou=
bind-credential: ${authn.ldap.bind-credential}
bind-dn: ${authn.ldap.bind-dn}
ldap-url: ${ldap-url}
search-filter:
ldap-authz:
group-attribute: notused
role-attribute:
role-prefix:
________________________________
From: [email protected] <[email protected]> on behalf of Drew Northup
<[email protected]>
Sent: March 3, 2026 10:08
To: [email protected] <[email protected]>
Subject: [cas-user] Palantir (management UI successor) Auth Island?
Am I understanding from the documentation correctly that Palantir is an
Authentication Island? If so I'm going to need to get our CISO to sign off on
the Risk Acceptance for that. (We do not permit password sharing for anything
that may require auditing, such as major configuration changes.)
--
---------------------------+--------------------------------
Drew Northup |
University of Maine System | [email protected]
Computing Center |
Orono, ME 04469 |
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT4P288MB0086165A668B77AD7353433CCE7CA%40YT4P288MB0086.CANP288.PROD.OUTLOOK.COM.
