Vincent,
In cas management 6.5 we use this to identify the property:
mgmt.authz-attributes[0] = [attribute name with value ROLE_ADMIN]
If you are releasing the attribute, you will not need the files.
Ray
On Wed, 2023-02-08 at 09:02 -0800, Vincent Delhommmeau wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello,
I am trying to set up a cas-management web application 6.6.0 on a cas server
6.4.0.
After a successful cas login, this message is displayed by the cas-management
application (approximate translation) :
"The CAS management application is unavailable.
An error has occurred. Please contact your support or try again"
In cas-management.log I have this (short version) :
"Unable to authorize access, since the authenticated profile does not contain
any required roles"
In management.properties I tried
mgmt.userPropertiesFile=file:/etc/cas/config/users.json
and
mgmt.userPropertiesFile=file:/etc/cas/config/users.properties
I also defined a second admin role (which should match a returned attribute) :
mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.adminRoles[1]=EHPRSI_INF
users.propertes :
# Only 'casuser' is authorized to use cas services management app
vdelhomm=notused,ROLE_ADMIN
users.json :
{
"vdelhomm" : {
"@class" : "org.apereo.cas.mgmt.authz.json.UserAuthorizationDefinition",
"roles" : [ "ROLE_ADMIN" ]
}
}
I also created a cas attribute which is returned to th service after
authentication :
attribute-def-store.json :
{
"@class" : "java.util.TreeMap",
"roles" : {
"@class" :
"org.apereo.cas.authentication.attribute.DefaultAttributeDefinition",
"key" : "roles",
"scoped" : false,
"attribute" : "supannEntiteAffectation"
}
}
service json file :
...
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes" :
[ "java.util.ArrayList", [ "uid", "roles" ] ]
}
The attribute is returned, but the cas management application doesnt care about
it.
I suppose that it was not a good idea.
What did I miss ?
It seems that the user is not found in users.properties or users.json
Is "uid" the correct attribute to return ?
thanks,
PS : the cas-management.log message long version :
2023-02-08 17:42:57,530 WARN [org.apereo.cas.mgmt.authz.CasRoleBasedAuthorizer]
- Unable to authorize access, since the authenticated profile [#CasProfile# |
id: vdelhomm
| attributes: {clientIpAddress=x.x.x.x,
credentialType=UsernamePasswordCredential, uid=vdelhomm, isFromNewLogin=true,
authenticationDate=2023-02-08T16:42:57.273849Z,
authenticationMethod=LdapAuthenticationHandler, roles=EHPRSI_INF,
successfulAuthenticationHandlers=LdapAuthenticationHandler,
serverIpAddress=y.y.y.y,
userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.127,
longTermAuthenticationRequestTokenUsed=false} | roles: [] | permissions: [] |
isRemembered: false | clientName: CasClient | linkedId: null |] does not
contain any required roles
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/234571e052bef975018fe2c0b41938f2473e7941.camel%40uvic.ca.
