Nguyen,
I configured cas properties for attributes (since the admins are under a
different tree, than the authentication tree) and the role is in the
description attribute:
cas.authn.attributeRepository.ldap[2].id=administrators
cas.authn.attributeRepository.ldap[2].order=2
cas.authn.attributeRepository.ldap[2].attributes.uvicEduPersonYubiKeyID=uvicEduPersonYubiKeyID
cas.authn.attributeRepository.ldap[2].attributes.eduPersonEntitlement=eduPersonEntitlement
cas.authn.attributeRepository.ldap[2].attributes.description=description
cas.authn.attributeRepository.ldap[2].ldapUrl=ldaps://ldaplocal.uvic.ca:636
cas.authn.attributeRepository.ldap[2].connectTimeout=PT3S
cas.authn.attributeRepository.ldap[2].baseDn=ou=administrators,ou=CAS,ou=applications,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[2].subtreeSearch=true
cas.authn.attributeRepository.ldap[2].searchFilter=uid={user}
cas.authn.attributeRepository.ldap[2].bindDn=cn=Auth
Manager,ou=CAS,ou=UVON,ou=administrators,dc=uvic,dc=ca
cas.authn.attributeRepository.ldap[2].bindCredential=
I then modified the service definition to return a mapped attribute
(description -> roles):
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^https://local\\.uvic\\.ca/cas-management/.*";,
"name": "Services Management Web Application on local",
"id": 50,
"description": "Services Management Web Application on developer workstation",
"expirationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy",
"deleteWhenExpired": false,
"notifyWhenDeleted": false,
"notifyWhenExpired": false
},
"proxyPolicy":
{
"@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"proxyTicketExpirationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy",
"numberOfUses": 0
},
"serviceTicketExpirationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy",
"numberOfUses": 0
},
"evaluationOrder": 0,
"usernameAttributeProvider":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
"canonicalizationMode": "NONE",
"encryptUsername": false
},
"logoutType": "BACK_CHANNEL",
"requiredHandlers":
[
"java.util.HashSet",[]
],
"environments":
[
"java.util.HashSet",[]
],
"attributeReleasePolicy":
{
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes":
{
"@class": "java.util.TreeMap",
"description":
[
"java.util.ArrayList",
[
"roles"
]
]
},
"principalAttributesRepository":
{
"@class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
"mergingStrategy": "MULTIVALUED",
"ignoreResolvedAttributes": false
},
"consentPolicy":
{
"@class":
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy",
"enabled": true,
"order": 0
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"excludeDefaultAttributes": false,
"authorizedToReleaseAuthenticationAttributes": true,
"order": 0
},
"multifactorPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
"multifactorAuthenticationProviders":
[
"java.util.HashSet",[]
],
"failureMode": "CLOSED",
"bypassEnabled": false,
"forceExecution": false,
"bypassTrustedDeviceEnabled": false
},
"logoutUrl": "https://local.uvic.ca/cas/logout";,
"accessStrategy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"order": 0,
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders":
[
"java.util.ArrayList",[]
],
"permitUndefined": true,
"exclusive": false
},
"requireAllAttributes": true,
"requiredAttributes":
{
"@class": "java.util.LinkedHashMap",
"description":
[
"java.util.HashSet",
[
"ADMIN"
]
]
},
"rejectedAttributes":
{
"@class": "java.util.LinkedHashMap"
},
"caseInsensitive": false
},
"properties":
{
"@class": "java.util.LinkedHashMap",
"test":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values":
[
"java.util.HashSet",
[
"FALSE"
]
]
}
},
"contacts":
[
"java.util.ArrayList",[]
]
}
I am going to edit our ldap data today to change from ADMIN to ROLE_ADMIN. (I
got the attribute release working on Friday.)
You can see the attributes in cas management with this logging
<AsyncLogger name="org.pac4j.cas.client" level="trace" />
<AsyncLogger name="org.pac4j.cas.credentials" level="trace" />
and release in cas with
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug"/>
Ray
On Mon, 2020-08-31 at 23:29 +0700, Nguyen Tran Thanh Lam wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Ray,
Could you show me your config that returned properties roles=[ADMIN]?
And
Have you ever tried return this:
roles=[ROLE_ADMIN]
Like user.json
{
"casuser" : {
"roles" : [ "ROLE_ADMIN" ]
}
}
Since my CAS Management Error log like bellow:
WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize
access, since the authenticated profile [#CasProfile# | id: root | attributes:
{credentialType=UsernamePasswordCredential, isFromNewLogin=false,
authenticationDate=2020-08-26T08:51:16.865441Z[UTC],
authenticationMethod=users, successfulAuthenticationHandlers=users,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |] does not
contain any required roles>
And I guess, If we could fill roles: [] (in red) become role: [ADMIN_ROLE], it
will run.
Thank you.
Vào Th 2, 31 thg 8, 2020 vào lúc 23:12 Ray Bon
<r...@uvic.ca<mailto:r...@uvic.ca>> đã viết:
Nguyen,
I am at this point in configuring cas management too.
Our 4.x deploy of cas management used to look up the user in ldap (you would
use mongo), and get the ADMIN attribute there. But the 6.1 version does not
seem to use ldap (I configured it but no calls to ldap were made).
Cas management uses cas protocol 3, which means that attributes can be
returned. I have configured this and I am returning roles=[ADMIN]. This also
seems to be ignored.
Perhaps one of the developers of cas management could comment if the .json file
is the only way to identify users and roles.
Ray
On Mon, 2020-08-31 at 14:02 +0700, Nguyen Tran Thanh Lam wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hi Mr Jérôme LELEU,
Yes I know this configuration but I have inconvenient process when I create new
user.
It means, when I create new user in MongoDB, CAS Overlay can authenticated new
user (I must not restart cas service) but with CAS Management Web App, I must
add this role for new user to user.json file and restart CAS Management Web App
service.
For example:
First:
I have already had one user with username is casuser and password =x1.
I could use casuser/x1 as CAS's account to use CAS Overlay and CAS Management
Web app feature.
Next:
I add new user with username is casuser2 and password =x2.
I could use casuser2/x2 as CAS's account to use CAS Overlay feature.
But with CAS Management Web App, I need modified user.json file like this
{
"casuser" : {
"roles" : [ "ROLE_ADMIN" ]
},
"casuser2" : {
"roles" : [ "ROLE_ADMIN" ]
},
}
Then restart CAS Management service. After that, I could use this casuser2
account for CAS Management Web App.
It's very inconvenient, thus I hope any way to fix this role for all users.
Please help me.
Thank you in advance.
Vào Th 2, 31 thg 8, 2020 vào lúc 13:44 Jérôme LELEU
<lel...@gmail.com<mailto:lel...@gmail.com>> đã viết:
Hi,
You need to add a users.json (or users.yml in YAML format) file in the
classpath.
For example:
{
"casuser" : {
"roles" : [ "ROLE_ADMIN" ]
}
}
Thanks.
Best regards,
Jérôme
Le jeu. 27 août 2020 à 14:11, Napoleon Ponaparte
<naphaluan211...@gmail.com<mailto:naphaluan211...@gmail.com>> a écrit :
Hi,
I have succeeded config CAS Overlay template 6.2.x can authenticated user that
registed in MongoDB.
Here is my config:
1. CAS Properties
"name":"cas.authn.mongo.name<http://cas.authn.mongo.name>","value":"users"
"name":"cas.authn.mongo.database-name","value":"users"
"name":"cas.authn.mongo.collection","value":"users"
"name":"cas.authn.mongo.username-attribute","value":"username"
"name":"cas.authn.mongo.password-attribute","value":"password"
"name":"cas.authn.mongo.user-id","value":"casuser"
"name":"cas.authn.mongo.password","value":"Mellon"
"name":"cas.authn.mongo.attributes","value":"lastname,useremail,usertel"
"name":"cas.authn.mongo.clientUri","value":"mongodb://casuser:Mellon@IP:port/users?authSource=admin&readPreference=primary&appname=MongoDB%20Compass%20Community&ssl=false"
2. And this is user properties in User collecion
"username":"root",
"password":"root",
"lastname":"VNPT ADMIN",
"useremail":"xxx",
"usertel":"xxx"
But, I have faced with problem about CAS Management Web App service.
Here is CAS Management Web App log:
WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - <Unable to authorize
access, since the authenticated profile [#CasProfile# | id: root | attributes:
{credentialType=UsernamePasswordCredential, isFromNewLogin=false,
authenticationDate=2020-08-26T08:51:16.865441Z[UTC],
authenticationMethod=users, successfulAuthenticationHandlers=users,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |] does not
contain any required roles>
Here is my service registry for CAS Manaement Web App:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId":"^https://cas-server-domain:8088/cas-management.+";,
"name" : "casManagement",
"id" : 1,
"evaluationOrder" : 1,
"allowedAttributes":["cn","mail"]
}
CAS server succeed create and authorized access token for user (id = root) but
CAS Management missing user's role.
I don't know how to assign ROLE for user or indicate user's role fixed in
service registry.
Please help me.
Thank you in advance.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d45135e1-e8d4-4f55-9e49-02e1d825c18bn%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/d45135e1-e8d4-4f55-9e49-02e1d825c18bn%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LydnJDBBuVcJzjGPE6bVPOQUAZkEaxz6J25bcT0kzKO_Q%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LydnJDBBuVcJzjGPE6bVPOQUAZkEaxz6J25bcT0kzKO_Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c480bff7770629a1cefb115add03a25d5e8e2e32.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/c480bff7770629a1cefb115add03a25d5e8e2e32.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/abda5d050659e6e2ef908a755c8b9e134283b252.camel%40uvic.ca.
