Thanks Ray, I won't really be able to make direct use of that, but you and AJ have helped me wrap my head around what is going on. If I'm understanding correctly, the management UI/UX is no longer a separate application, and therefore it can no longer use CAS to authenticate, which means that we'd be unable to use centrally managed groups or roles and would not be able to make use of any MFA features...all of which is very unfortunate.
Given what I've discovered about JPA service registry configuration and state rot (as there is absolutely no maintained upgrade path anymore) over the last few days this basically means to me that it is likely not worth my time to bother getting this "Palantir" thing working, and I should instead focus my efforts into converting the service registry entries over to the HJSON format CAS is using (largely by hand, as our CAS is so ancient the JSON export is apparently completely missing). Thanks again, on to the next madness. On Tue, Mar 3, 2026 at 8:44 PM 'Ray Bon' via CAS Community < [email protected]> wrote: > I modified our install to look in ldap for authn > Have not had the time to put in a pull request. But the authn piece really > should support any backend the main cas authn supports. > > Ray > > CasPalantirWebMvcConfiguration.java > > package org.apereo.cas.config; > > import ca.uvic.idm.cas.configuration.UvicConfigurationProperties; > import lombok.extern.slf4j.Slf4j; > import org.apache.commons.lang3.StringUtils; > import org.apereo.cas.configuration.CasConfigurationProperties; > import org.apereo.cas.configuration.features.CasFeatureModule; > import org.apereo.cas.palantir.PalantirConstants; > import org.apereo.cas.palantir.controller.DashboardController; > import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled; > import org.apereo.cas.web.CasWebSecurityConfigurer; > import org.apereo.cas.web.flow.CasWebflowConstants; > import lombok.val; > import > org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties; > import org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver; > import > org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; > import > org.springframework.boot.context.properties.EnableConfigurationProperties; > import org.springframework.context.ConfigurableApplicationContext; > import org.springframework.context.annotation.Bean; > import org.springframework.context.annotation.Configuration; > import > org.springframework.security.config.annotation.web.builders.HttpSecurity; > import > org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; > import > org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; > import > org.springframework.web.servlet.config.annotation.ViewControllerRegistry; > import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; > import jakarta.annotation.Nonnull; > > /** > * This is {@link CasPalantirWebMvcConfiguration}. > * > * @author Misagh Moayyed > * @since 7.1.0 > */ > @EnableConfigurationProperties({CasConfigurationProperties.class, > UvicConfigurationProperties.class}) > @ConditionalOnFeatureEnabled(feature = > CasFeatureModule.FeatureCatalog.Palantir) > @Configuration(value = "CasPalantirWebMvcConfiguration", proxyBeanMethods = > false) > @Slf4j > class CasPalantirWebMvcConfiguration { > @Bean > @ConditionalOnMissingBean(name = "palantirDashboardController") > public DashboardController palantirDashboardController( > final ConfigurableApplicationContext applicationContext, > final EndpointLinksResolver endpointLinksResolver, > final WebEndpointProperties webEndpointProperties, > final CasConfigurationProperties casProperties) { > return new DashboardController(casProperties, endpointLinksResolver, > webEndpointProperties, applicationContext); > } > > @Bean > @ConditionalOnMissingBean(name = "palantirWebMvcConfigurer") > public WebMvcConfigurer palantirWebMvcConfigurer(final > CasConfigurationProperties casProperties) { > return new WebMvcConfigurer() { > @Override > public void addViewControllers(@Nonnull final > ViewControllerRegistry registry) { > > registry.addViewController(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN) > > .setViewName(CasWebflowConstants.VIEW_ID_ENDPOINT_ADMIN_LOGIN_VIEW); > } > }; > } > > @Bean > @ConditionalOnMissingBean(name = "palantirEndpointWebSecurityConfigurer") > public CasWebSecurityConfigurer<HttpSecurity> > palantirEndpointWebSecurityConfigurer(final ConfigurableApplicationContext > applicationContext, final CasConfigurationProperties casProperties) { > return new CasWebSecurityConfigurer<>() { > @Override > public CasWebSecurityConfigurer<HttpSecurity> finish(final > HttpSecurity http) throws Exception { > val successHandler = new > SavedRequestAwareAuthenticationSuccessHandler(); > successHandler.setTargetUrlParameter("redirectTo"); > > successHandler.setDefaultTargetUrl(PalantirConstants.URL_PATH_PALANTIR); > http.authorizeHttpRequests(customizer -> customizer > > .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PalantirConstants.URL_PATH_PALANTIR > + "/**")).authenticated() > ) > .formLogin(customizer -> > customizer.loginPage(CasWebSecurityConfigurer.ENDPOINT_URL_ADMIN_FORM_LOGIN) > .permitAll().successHandler(successHandler)); > val ldap = > casProperties.getMonitor().getEndpoints().getLdap(); > if (StringUtils.isNotBlank(ldap.getLdapUrl()) && > StringUtils.isNotBlank(ldap.getSearchFilter())) { > LOGGER.trace("palantirEndpointCasSecurityConfigurer: > Palantir should use ldap"); > try { > return > applicationContext.getBean("ldapHttpWebSecurityConfigurer", > CasWebSecurityConfigurer.class) > .configure(http); > } catch (org.springframework.beans.BeansException e) { > // assume ldap login turned off > LOGGER.debug("BeansException"); > } > } else { > LOGGER.trace("palantirEndpointCasSecurityConfigurer: > Palantir use default authn"); > } > return this; > } > }; > } > } > > > monitor: > endpoints: > ldap: > base-dn: ou= > bind-credential: ${authn.ldap.bind-credential} > bind-dn: ${authn.ldap.bind-dn} > ldap-url: ${ldap-url} > search-filter: > ldap-authz: > group-attribute: notused > role-attribute: > role-prefix: > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Drew > Northup <[email protected]> > *Sent:* March 3, 2026 10:08 > *To:* [email protected] <[email protected]> > *Subject:* [cas-user] Palantir (management UI successor) Auth Island? > > Am I understanding from the documentation correctly that Palantir is an > Authentication Island? If so I'm going to need to get our CISO to sign off > on the Risk Acceptance for that. (We do not permit password sharing for > anything that may require auditing, such as major configuration changes.) > > -- > ---------------------------+-------------------------------- > Drew Northup | > University of Maine System | [email protected] > Computing Center | > Orono, ME 04469 | > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xoJA4OLrX%3DkMu%2BRb8RJWv_H62jFY87hWc554mpO2jbJ-9Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/Y3mRpts04DY/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT4P288MB0086165A668B77AD7353433CCE7CA%40YT4P288MB0086.CANP288.PROD.OUTLOOK.COM > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/YT4P288MB0086165A668B77AD7353433CCE7CA%40YT4P288MB0086.CANP288.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer> > . > -- ---------------------------+-------------------------------- Drew Northup | University of Maine System | [email protected] Computing Center | Orono, ME 04469 | -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHq8xo%2BE_RE9tEzdB4HzqPOHx8%2Bogxr%3DdR1%3DjNT1Zyhb0C%2BhjA%40mail.gmail.com.
