Re: [cas-user] Re: Access Denied with CAS Service Management WebApp
Hi Priit
have you check cas.log, or cas-management.log or your webcontainer log?
i encounter same issue, but it due to ssl certificate issue..
not sure on your case.
On 7 October 2017 at 14:26, Priit Serk wrote:
> I confirm that it does not work in CAS. I'm trying also to solve this
> issue that user-details are not just correctly processed by CAS-Management.
> I'm overwriting management source to solve this.
>
>
> On Wednesday, August 9, 2017 at 5:45:15 PM UTC+3, gibson_brian wrote:
>>
>> Hi All,
>>
>> Be gentle, I'm a sys admin, not a Java expert ;-)
>>
>> Running Tomcat 9 on Windows 2012 R2 Server.
>>
>> Running CAS 5.1.2 using the War Overlay method and I have it
>> authenticating against Active Directory and it recognizes services that I
>> define in .json files.
>>
>> I'm trying to get the CAS Services Management Webapp working so I can
>> login with my Active Directory credentials. Here is where I am
>>
>> 1. I go to the /cas-management URL and if I am not already logged into
>> CAS I get redirected to the CAS login page (good so far)
>>
>> 2. I log in with my Active Directory credentials and I am greeted with
>> this error
>>
>> *CAS Services Management Access Denied You are not authorized to
>> access this resource. Contact your CAS Administrator for more info.*
>>
>> I put this entry in the c:\etc\cas\config\users.properties file (which
>> is referenced below in my management.properties file)
>>
>> *my_AD_loginID*=notused,ROLE_ADMIN,enabled
>>
>> My c:\etc\cas\config\management.properties file looks like this
>>
>> management.properties +
>> cas.server.name=https://cas5test.wheatonma.edu
>> cas.server.prefix=https://cas5test.wheatonma.edu/cas
>> cas.mgmt.host=${cas.server.name}
>> cas.serviceRegistry.initFromJson=true
>> spring.thymeleaf.mode=HTML
>> logging.config=file:/etc/cas/config/log4j2-management.xml
>> server.port=443
>> cas.serviceRegistry.config.location:file:/etc/cas/services
>> server.contextPath=/cas-management
>> cas.mgmt.adminRoles=ROLE_ADMIN
>> cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
>> cas.mgmt.serverName=https://cas5test.wheatonma.edu
>> cas.mgmt.defaultLocale=en
>> cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
>> cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
>> cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
>> ldaps://my_2nd_ad_controller
>> cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
>> cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
>> cas.mgmt.ldap.bindCredential=hidden
>> cas.mgmt.ldap.useSsl=true
>> cas.mgmt.ldap.useStartTls=false
>>
>> Thanks for any advice you can offer :-)
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00757f3d-db4b-406d-9b6e-
> 05955d6d43cc%40apereo.org
>
> .
>
--
Thanks & regards
Edward Geopholda R.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOpYzDi8udhd%3DvfB0ByUc3W8Tj2ussqZvX%3D64O7vnh1X8xXRAQ%40mail.gmail.com.
[cas-user] Re: Access Denied with CAS Service Management WebApp
I confirm that it does not work in CAS. I'm trying also to solve this issue
that user-details are not just correctly processed by CAS-Management. I'm
overwriting management source to solve this.
On Wednesday, August 9, 2017 at 5:45:15 PM UTC+3, gibson_brian wrote:
>
> Hi All,
>
> Be gentle, I'm a sys admin, not a Java expert ;-)
>
> Running Tomcat 9 on Windows 2012 R2 Server.
>
> Running CAS 5.1.2 using the War Overlay method and I have it
> authenticating against Active Directory and it recognizes services that I
> define in .json files.
>
> I'm trying to get the CAS Services Management Webapp working so I can
> login with my Active Directory credentials. Here is where I am
>
> 1. I go to the /cas-management URL and if I am not already logged into CAS
> I get redirected to the CAS login page (good so far)
>
> 2. I log in with my Active Directory credentials and I am greeted with
> this error
>
> *CAS Services Management Access Denied You are not authorized to
> access this resource. Contact your CAS Administrator for more info.*
>
> I put this entry in the c:\etc\cas\config\users.properties file (which is
> referenced below in my management.properties file)
>
> *my_AD_loginID*=notused,ROLE_ADMIN,enabled
>
> My c:\etc\cas\config\management.properties file looks like this
>
> management.properties +
> cas.server.name=https://cas5test.wheatonma.edu
> cas.server.prefix=https://cas5test.wheatonma.edu/cas
> cas.mgmt.host=${cas.server.name}
> cas.serviceRegistry.initFromJson=true
> spring.thymeleaf.mode=HTML
> logging.config=file:/etc/cas/config/log4j2-management.xml
> server.port=443
> cas.serviceRegistry.config.location:file:/etc/cas/services
> server.contextPath=/cas-management
> cas.mgmt.adminRoles=ROLE_ADMIN
> cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
> cas.mgmt.serverName=https://cas5test.wheatonma.edu
> cas.mgmt.defaultLocale=en
> cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
> cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
> cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
> ldaps://my_2nd_ad_controller
> cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
> cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
> cas.mgmt.ldap.bindCredential=hidden
> cas.mgmt.ldap.useSsl=true
> cas.mgmt.ldap.useStartTls=false
>
> Thanks for any advice you can offer :-)
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/00757f3d-db4b-406d-9b6e-05955d6d43cc%40apereo.org.
Re: [cas-user] Re: Access Denied with CAS Service Management WebApp
Hi Arnold,
Thank you very much for the suggestion. I confirmed that CAS is finding
the properties file by changing the filename to something bogus, when I
do that the deployment of the war file crashes because it says it cannot
find the file.
I believe CAS is successfully finding the file, it is just not
processing it correctly (as far as I can tell). I'm getting around this
by setting the "cas.mgmt.adminRoles" option to nothing (instead of the
suggested "ROLE_ADMIN" value). Doing so (I believe) makes it so /anyone
/who logs in can access the service management web app. I am getting
around that by adding an accessStrategy section to the .json file that
controls access to that service, inside there I am using the following
requiredAttributes to restrict access to my Active Directory loginID
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"cn" : [ "java.util.HashSet", [ "bgibson" ] ],
}
},
On 8/10/2017 3:24 AM, Bergner, Arnold wrote:
Hi there,
it seems to me your properties file location might be wrong. At least,
there’s no C: in there:
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
Maybe you also need windows notation?
Regards
Arnold
*Von:*cas-user@apereo.org [mailto:cas-user@apereo.org] *Im Auftrag von
*Brian Gibson
*Gesendet:* Mittwoch, 9. August 2017 20:03
*An:* cas-user@apereo.org
*Betreff:* [cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it
is because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- {wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false,
sn=/my_Last_Name_From_AD/, cn=/my_AD_loginID/,
EmailAddress=/my_AD_EmailAddress/} | *roles: []* | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- **
I thought the c:\etc\cas\config\users.properties file referenced from
my management.properties file would list me as having the ROLE_ADMIN
role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*";
<https://cas5test.wheatonma.edu/cas-management/.*>,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I
can login with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged
into CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted
with this error
/CAS Services Management Access Denied You are not authorized
to access this resource. Contact your CAS Administrator for more
info./
I put this entry in the c:\etc\cas\c
[cas-user] Re: Access Denied with CAS Service Management WebApp
Hi there,
it seems to me your properties file location might be wrong. At least, there’s
no C: in there:
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
Maybe you also need windows notation?
Regards
Arnold
Von: cas-user@apereo.org [mailto:cas-user@apereo.org] Im Auftrag von Brian
Gibson
Gesendet: Mittwoch, 9. August 2017 20:03
An: cas-user@apereo.org
Betreff: [cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the logs
where it was denying my access. Here is the snippet. I think it is because the
"roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
I thought the c:\etc\cas\config\users.properties file referenced from my
management.properties file would list me as having the ROLE_ADMIN role?
If it helps, here is the .json file service entry used to allow the management
app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" :
"https://cas5test.wheatonma.edu/cas-management/.*";<https://cas5test.wheatonma.edu/cas-management/.*>,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management App",
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it authenticating
against Active Directory and it recognizes services that I define in .json
files.
I'm trying to get the CAS Services Management Webapp working so I can login
with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged into CAS I
get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted with this
error
CAS Services Management Access Denied You are not authorized to access this
resource. Contact your CAS Administrator for more info.
I put this entry in the c:\etc\cas\config\users.properties file (which is
referenced below in my management.properties file)
my_AD_loginID=notused,ROLE_ADMIN,enabled
My management.properties file looks like this
management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncoll
[cas-user] Re: Access Denied with CAS Service Management WebApp
To follow up on my last email, I enabled DEBUG mode and noticed in the
logs where it was denying my access. Here is the snippet. I think it is
because the "roles" value is empty (in bold below)
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- {wID=/my_AD_loginID/, isFromNewLogin=true,
authenticationDate=2017-08-09T12:28:29.175-04:00[America/New_York],
affiliation=staff, authenticationMethod=LdapAuthenticationHandler,
FullName=/my_Full_Name_From_AD/,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
longTermAuthenticationRequestTokenUsed=false, sn=/my_Last_Name_From_AD/,
cn=/my_AD_loginID/, EmailAddress=/my_AD_EmailAddress/} | *roles: []* |
permissions: [] | isRemembered: false | clientName: CasClient |
linkedId: null |]>
2017-08-09 12:28:29,675 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
-
2017-08-09 12:28:29,691 DEBUG
[org.apereo.cas.mgmt.web.CasManagementSecurityInterceptor$CasManagementSecurityLogic]
- **
I thought the c:\etc\cas\config\users.properties file referenced from my
management.properties file would list me as having the ROLE_ADMIN role?
If it helps, here is the .json file service entry used to allow the
management app.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://cas5test.wheatonma.edu/cas-management/.*";,
"name" : "CASManagementService",
"id" : 132457456798678,
"description" : "Service entry to allow access to the CAS Management
App",
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn",
"mail" : "EmailAddress",
"displayname" : "FullName"
"sAMAccountName" : "wID"
"employeeType" : "affiliation"
}
},
"evaluationOrder" : 2
}
Thanks!!!
On 8/9/2017 10:44 AM, Brian Gibson wrote:
Hi All,
Be gentle, I'm a sys admin, not a Java expert ;-)
Running Tomcat 9 on Windows 2012 R2 Server.
Running CAS 5.1.2 using the War Overlay method and I have it
authenticating against Active Directory and it recognizes services
that I define in .json files.
I'm trying to get the CAS Services Management Webapp working so I can
login with my Active Directory credentials. Here is where I am
1. I go to the /cas-management URL and if I am not already logged into
CAS I get redirected to the CAS login page (good so far)
2. I log in with my Active Directory credentials and I am greeted with
this error
/CAS Services Management Access Denied You are not authorized to
access this resource. Contact your CAS Administrator for more info./
I put this entry in the c:\etc\cas\config\users.properties file (which
is referenced below in my management.properties file)
/my_AD_loginID/=notused,ROLE_ADMIN,enabled
My management.properties file looks like this
management.properties +
cas.server.name=https://cas5test.wheatonma.edu
cas.server.prefix=https://cas5test.wheatonma.edu/cas
cas.mgmt.host=${cas.server.name}
cas.serviceRegistry.initFromJson=true
spring.thymeleaf.mode=HTML
logging.config=file:/etc/cas/config/log4j2-management.xml
server.port=443
cas.serviceRegistry.config.location:file:/etc/cas/services
server.contextPath=/cas-management
cas.mgmt.adminRoles=ROLE_ADMIN
cas.mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
cas.mgmt.serverName=https://cas5test.wheatonma.edu
cas.mgmt.defaultLocale=en
cas.mgmt.ldap.ldapAuthz.searchFilter=cn={user}
cas.mgmt.ldap.ldapAuthz.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.ldapUrl=ldaps://my_1st_ad_controller
ldaps://my_2nd_ad_controller
cas.mgmt.ldap.baseDn=OU=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindDn=CN=hidden,CN=hidden,DC=hidden,DC=hidden
cas.mgmt.ldap.bindCredential=hidden
cas.mgmt.ldap.useSsl=true
cas.mgmt.ldap.useStartTls=false
Thanks for any advice you can offer :-)
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/01747094-c76a-36a1-ffd1-8072e34ca39b%40wheatoncollege.edu.
