I think we've been through most of these at one time or another, but to
assemble them all in one place...
1. You have all of these:
# The /status endpoint is protected by IP address only.
cas.adminPagesSecurity.ip: ...a valid regex to match your
authorized addresses...
# The /status/whatever endpoints are protected by the CAS server, using a
# list of admin users in "users.properties".
cas.adminPagesSecurity.loginUrl: ${cas.server.prefix}/login
cas.adminPagesSecurity.service:
${cas.server.prefix}/status/dashboard
cas.adminPagesSecurity.users:
file:/etc/cas/config/users.properties
# Define an administrator role. (This is the default; you probably don't
need to set it explicitly.)
cas.adminPagesSecurity.adminRoles[0]: ROLE_ADMIN
# Enable the Spring Boot actuators as well as the CAS actuators.
cas.adminPagesSecurity.actuatorEndpointsEnabled: true
cas.monitor.endpoints.enabled: true
endpoints.enabled: true
# Marking the endpoints "sensitive" would protect them with Spring Security;
# we want to protect them with the CAS server.
cas.monitor.endpoints.sensitive: false
endpoints.sensitive: false
2. You have a service definition that allows the dashboard to authenticate
via CAS:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^
https://your.cas.server.host.and.port.here/cas/status/dashboard(\\z|/.*)",
"name" : "CAS Admin Dashboard",
"id" : 123456789,
"description" : "CAS dashboard and administrative endpoints",
"evaluationOrder" : 1234
}
3. You're sure that the "ccheltenham-ext" user can successfully
authenticate via CAS. Go to https:/yourserver/cas/login to check. (Even if
you're "sure," check it anyway, just to remove it from the equation.)
4. You're attempting to access the dashboard from an IP address that
matches the pattern configured in cas.adminPagesSecurity.ip.
All of that together ought to do it. If it doesn't, change the CAS logging
level to "debug" and see what you get in cas.log....
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
[image: The New School]
On Mon, Feb 26, 2018 at 2:04 PM, Cheltenham, Chris <
ccheltenham-...@philasd.org> wrote:
> Hello,
>
>
>
> I have been stuggling with access denied on the dashboard
>
>
>
> - users.properties only has the following.
>
>
>
> ccheltenham-ext=passwordnotused,ROLE_ADMIN
>
>
>
> What else could I have misconfigured?
>
>
>
>
>
>
>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/00a001d3af34%24a1de58a0%
> 24e59b09e0%24%40philasd.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a001d3af34%24a1de58a0%24e59b09e0%24%40philasd.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPG8nL99g6-zYfwWMCZBXQ2FhK6gR6UWatTYTGBK2fZqg%40mail.gmail.com.
