FWIW, I was able to get past this error by removing the deprecated property
"management.endpoints.enabled-by-default=true". The error message seems to
suggest the property "management.endpoints.access.default" as a
replacement, but I can't find information about this property in the CAS
documentation.
I did find Spring Boot documentation[1] that identifies one possible valid
value ("none") for this property, but not any other possible valid values.
For CAS, the default appears to be sort of consistent with "none" since it
seems I have to explicitly enable any actuator endpoints if I want to use
anything besides just "health" and "info" (e.g. "throttles" and "duoPing").
Furthermore the CAS documentation[2] states, "that by default the only
endpoints exposed over the web are info, status, health and
configurationMetadata." However, even if the status endpoint is explicitly
enabled the same way as for health and info, it still rejects access to
status.
cas.properties:
management.endpoints.web.base-path=/actuator
management.endpoints.web.exposure.include=health,info,status,throttles,duoPing
management.endpoint.health.enabled=true
management.endpoint.info.enabled=true
management.endpoint.status.enabled=true
management.endpoint.throttles.enabled=true
management.endpoint.duoPing.enabled=true
cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1,
[...more IP addrs...]
This results in the following logs that demonstrate the difference between
attempted access to "health" and "status" endpoints:
DEBUG
[org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
- <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing HEAD
/actuator/health>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured HEAD
/actuator/health>
DEBUG
[org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
- <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET
/actuator/status>
DEBUG
[org.springframework.security.web.authentication.AnonymousAuthenticationFilter]
- <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG
[org.springframework.security.web.savedrequest.HttpSessionRequestCache] -
<Saved request
https://cas66.pvt.hawaii.edu:8443/cas/actuator/status?continue to session>
DEBUG
[org.springframework.security.web.authentication.Http403ForbiddenEntryPoint]
- <Pre-authenticated entry point called. Rejecting access>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET
/error>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET
/error>
I seem to recall the status endpoint may have been deprecated at some
point, but I can't find confirmation in the CAS documentation. If so, is
the current documentation erroneous in stating that it may be exposed? If
not, how do you also get status to work?
[1] <https://docs.spring.io/spring-boot/reference/actuator/endpoints.html>
[2] Example from the Endpoint details popup window at <
https://apereo.github.io/cas/7.2.x/monitoring/actuators/Actuator-Endpoint-Info.html
>
On Fri, Aug 8, 2025 at 4:37 PM Baron Fujimoto <[email protected]> wrote:
> This is problematic, because when I build and deploy 7.2.5, I now get the
> following error logged.
>
> =====
> ERROR
> [org.springframework.boot.context.properties.migrator.PropertiesMigrationListener]
> - <
> The use of configuration keys that are no longer supported was found in
> the environment:
>
> Property source 'bootstrapProperties-casCompositePropertySource':
> Key: management.endpoints.enabled-by-default
> Reason: Replacement key
> 'management.endpoints.access.default' uses an incompatible target type
>
>
> Please refer to the release notes or reference guide for potential
> alternatives.
> >
> ERROR [org.apereo.cas.util.spring.boot.BeanDefinitionStoreFailureAnalyzer]
> - <Error creating bean due to: Failed to process import candidates for
> configuration class [org.apereo.cas.web.CasWebApplication]: Error
> processing condition on
> org.springframework.boot.actuate.autoconfigure.audit.AuditEventsEndpointAutoConfiguration
> caused by MutuallyExclusiveConfigurationPropertiesException: The
> configuration properties 'management.endpoints.access.default,
> management.endpoints.enabled-by-default' are mutually exclusive and
> 'management.endpoints.access.default,
> management.endpoints.enabled-by-default' have been configured together >
> DEBUG
> [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] -
> <Application failed to start due to an exception>
> ERROR
> [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <
>
> ***************************
> APPLICATION FAILED TO START
> ***************************
>
> Description:
>
> Error creating bean due to: Failed to process import candidates for
> configuration class [org.apereo.cas.web.CasWebApplication]: Error
> processing condition on
> org.springframework.boot.actuate.autoconfigure.audit.AuditEventsEndpointAutoConfiguration
> caused by MutuallyExclusiveConfigurationPropertiesException: The
> configuration properties 'management.endpoints.access.default,
> management.endpoints.enabled-by-default' are mutually exclusive and
> 'management.endpoints.access.default,
> management.endpoints.enabled-by-default' have been configured together
>
> Action:
>
> Review the properties available for the configuration. Enable debug
> logging on
> org.apereo.cas.util.spring.boot.BeanDefinitionStoreFailureAnalyzer to see
> exception stack trace
> >
> =====
>
> I believe these are the sorts of issues typically mentioned in the missing
> changelogs. I seem to recall there also being something about the use of
> groovy scripts that I cannot currently find. We incorporate a groovy script
> in some of our service registrations, so this is also a concern.
>
>
> On Thu, Aug 7, 2025 at 10:54 AM Baron Fujimoto <[email protected]> wrote:
>
>> I'm preparing for a CAS upgrade from 7.0.8 to 7.2 and wanted to review
>> the release notes changelogs for anything we needed to be aware of. (I'm
>> not sure why, but it seems like only release candidates really get useful
>> information of this nature.)
>>
>> Currently it appears that all of the documentation for older (7.1, 7.2)
>> RC changelogs only points to the changelogs for 7.3 RC versions.
>>
>> E.g. on the Release Notes page for 7.1.0-RC6 <
>> https://github.com/apereo/cas/releases/tag/v7.1.0-RC6>, the linked
>> changelogs for previous RC versions all link to 7.3 changelogs:
>> • <https://apereo.github.io/cas/development/release_notes/RC1.html>
>> • <https://apereo.github.io/cas/development/release_notes/RC2.html>
>> • etc
>> • Busted portal gun 404 for changelogs that don't yet exist for 7.4 (RC6)
>>
>> Are the older changelogs still available? I seem to recall seeing
>> potentially important items in there when previously skimming them.
>> --
>> Baron Fujimoto <[email protected]> ::: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>>
>
>
> --
> Baron Fujimoto <[email protected]> ::: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
>
--
Baron Fujimoto <[email protected]> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0VE779MvaL2oj0Qfpfo9N3Jg%3DtEXYbiguYipRscTz2eA%40mail.gmail.com.
