Hello,
I am trying to set up a cas-management web application 6.6.0 on a cas
server 6.4.0.
After a successful cas login, this message is displayed by the
cas-management application (approximate translation) :
"The CAS management application is unavailable.
An error has occurred. Please contact your support or try again"
In cas-management.log I have this (short version) :
"Unable to authorize access, since the authenticated profile does not
contain any required roles"
In management.properties I tried
mgmt.userPropertiesFile=file:/etc/cas/config/users.json
and
mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
I also defined a second admin role (which should match a returned
attribute) :
mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.adminRoles[1]=EHPRSI_INF
users.propertes :
# Only 'casuser' is authorized to use cas services management app
vdelhomm=notused,ROLE_ADMIN
users.json :
{
"vdelhomm" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
I also created a cas attribute which is returned to th service after
authentication :
attribute-def-store.json :
{
"@class" : "java.util.TreeMap",
"roles" : {
"@class" :
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "roles",
"scoped" : false,
"attribute" : "supannEntiteAffectation"
}
}
service json file :
...
"attributeReleasePolicy" : {
"@class" :
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" :
[ "java.util.ArrayList", [ "uid", "roles" ] ]
}
The attribute is returned, but the cas management application doesnt care
about it.
I suppose that it was not a good idea.
What did I miss ?
It seems that the user is not found in users.properties or users.json
Is "uid" the correct attribute to return ?
thanks,
PS : the cas-management.log message long version :
2023-02-08 17:42:57,530 WARN
[org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer] - Unable to authorize
access, since the authenticated profile [#CasProfile# | id: vdelhomm
| attributes: {clientIpAddress=x.x.x.x,
credentialType=UsernamePasswordCredential, uid=vdelhomm,
isFromNewLogin=true, authenticationDate=2023-02-08T16:42:57.273849Z,
authenticationMethod=LdapAuthenticationHandler, roles=EHPRSI_INF,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
serverIpAddress=y.y.y.y,
userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.127,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: []
| isRemembered: false | clientName: CasClient | linkedId: null |] does not
contain any required roles
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ec21435-7715-4c5d-b5e3-2699d8ae1354n%40apereo.org.
