Hi,
I am in the process of upgrading CAS from 5.2.2 to 5.3.0-RC2. CAS dashboard was working fine with 5.2.2 but when I switched to 5.3.0-RC2. It always returns forbidden. Not sure what I am missing here. Can anyone help please? CAS properties: cas.adminPagesSecurity.ip=127.0.0.1 cas.adminPagesSecurity.alternateIpHeaderName=X-Forwarded-For cas.adminPagesSecurity.loginUrl=https://localhost:8443/cas/login cas.adminPagesSecurity.service=https://localhost:8443/cas/status/dashboard cas.adminPagesSecurity.users=file:/opt/test/cas/config/adminusers.properties cas.adminPagesSecurity.adminRoles=ROLE_ADMIN security.basic.authorizeMode=role security.basic.enabled=true security.basic.path=/cas/status/** security.basic.realm=CAS cas.adminPagesSecurity.actuatorEndpointsEnabled=true cas.rest.attributeName=sAMAccountName cas.rest.attributeValue=sAMAccountName Registered a service: { "@class" : *"org.apereo.cas.services.RegexRegisteredService"*, "serviceId" : *"^https://localhost:8443/cas/status/dashboard"*, "name" : *"CAS Admin Dashboard"*, "id" : 10000011, "theme":*"iamadmin"*, "description" : *"CAS dashboard and administrative endpoints"*, "evaluationOrder" : 5000 } Referred: https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_overview.html https://apereo.github.io/cas/development/installation/Configuration-Properties.html Debug logs: DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <=== SECURITY ===> 2018-05-11 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <url: https://localhost:8443/cas/status/dashboard> 2018-05-25 07:54:57,198 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <matchers: null> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <clients: CasClient> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <currentClients: [#DirectCasClient# | configuration: #CasConfiguration# | loginUrl: https://localhost:8443/cas/login | prefixUrl: https://localhost:8443/cas/ | restUrl: https://localhost:8443/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #DefaultCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@6577f727 | |]> 2018-05-25 07:54:57,199 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <loadProfilesFromSession: true> 2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <profiles: [#CasProfile# | id: testuser | attributes: {isFromNewLogin=true, mail=testu...@test.com, bypassMultifactorAuthentication=true, authenticationDate=2018-05-25T07:54:48.391-04:00[America/New_York], sAMAccountName=testuser, accountExpires=9223372036854775807, givenName=testuser, successfulAuthenticationHandlers=LdapAuthenticationHandler, cn=testuser, credentialType=RememberMeUsernamePasswordCredential, msDS-UserPasswordExpiryTimeComputed=9223372036854775807, bypassedMultifactorAuthenticationProviderId=mfa-duo, authenticationMethod=LdapAuthenticationHandler, longTermAuthenticationRequestTokenUsed=false, sn=testuser, lockoutTime=0, username=testuser, pwdLastSet=131578106790314866, badPwdCount=0} | roles: [] | permissions: [] | isRemembered: false | clientName: CasClient | linkedId: null |]> 2018-05-25 07:54:57,200 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <authorizers: securityHeaders,csrfToken,RequireAnyRoleAuthorizer> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.CacheControlHeader@6be8c6e5 -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XContentTypeOptionsHeader@3a99578a -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.StrictTransportSecurityHeader@b49fcda -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XFrameOptionsHeader@7b1cdf3e -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorizatio 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.XSSProtectionHeader@31458155 -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: #CsrfTokenGeneratorAuthorizer# | csrfTokenGenerator: org.pac4j.core.authorization.authorizer.csrf.DefaultCsrfTokenGenerator@10dddcf8 | domain: null | path: / | httpOnly: null | secure: null | -> true> 2018-05-25 07:54:57,201 DEBUG [org.pac4j.core.authorization.checker.DefaultAuthorizationChecker] - <Checking authorizer: org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer@d0fa89f -> false> 2018-05-25 07:54:57,201 DEBUG [org.apereo.cas.web.pac4j.CasSecurityInterceptor$1] - <forbidden> RequireAnyRoleAuthorizer always returns false Thanks Naresh -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63f6553f-a2c4-4103-9b96-7cfa22cc274f%40apereo.org.