Configuration Server - Spring Cloud

CAS is able to use an external and central configuration server to obtain state and settings. The configuration server provides a very abstract way for CAS (and all of its other clients) to obtain settings from a variety of sources, such as file system, git or svn repositories, MongoDb databases, Vault, etc. The beauty of this solution is that to the CAS web application server, it matters not where settings come from and it has no knowledge of the underlying property sources. It talks to the configuration server to locate settings and move on.

:information_source: Configuration Security

This is a very good strategy to ensure configuration settings are not scattered around various deployment environments leading to a more secure deployment. The configuration server need not be exposed to the outside world, and it can safely and secure be hidden behind firewalls, etc allowing access to only authorized clients such as the CAS server web application.

A full comprehensive guide is provided by the Spring Cloud project.

Spring Cloud Configuration Server Overlay

The configuration server itself, similar to CAS, can be deployed using the CAS Initializr.

1
2
3
4
5
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-webapp-config-server</artifactId>
    <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-webapp-config-server:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
    imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
    }
}

dependencies {
    implementation "org.apereo.cas:cas-server-webapp-config-server"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
    /*
    The following platform references should be included automatically and are listed here for reference only.
            
    implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
    implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
    */

    implementation "org.apereo.cas:cas-server-webapp-config-server"
}

In addition to the strategies outlined here, the configuration server may load CAS settings and properties via the following order and mechanics:

  1. Profile-specific application properties outside of your packaged web application (application-{profile}.properties|yml)
  2. Profile-specific application properties packaged inside your jar (application-{profile}.properties|yml)
  3. Application properties outside of your packaged jar (application.properties|yml).
  4. Application properties packaged inside your jar (application.properties|yml).

The configuration and behavior of the configuration server is also controlled by its own src/main/resources/bootstrap.properties file. By default, it runs under port 8888 at /casconfigserver inside an embedded Apache Tomcat server whose endpoints are protected with basic authentication where the default credentials are casuser and an auto-generated password defined in src/main/resources/application.properties.

Furthermore, by default it runs under a native profile described below.

The following endpoints are secured and exposed by the configuration server:

Parameter Description
/encrypt Accepts a POST to encrypt CAS configuration settings.
/decrypt Accepts a POST to decrypt CAS configuration settings.
/actuator/refresh Accepts a POST and attempts to refresh the internal state of configuration server.
/actuator/env Accepts a GET and describes all configuration sources of the configuration server.
/actuator/cas/default Describes what the configuration server knows about the default settings profile.
/actuator/cas/native Describes what the configuration server knows about the native settings profile.

Once you have the configuration server deployed and assuming the credentials used to secure the configuration server match the example below, you can observe the collection of settings via:

1
curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/cas/native

Assuming actuator endpoints are enabled in the configuration, you can also observe the collection of property sources that provide settings to the configuration server:

1
curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/actuator/env
:information_source: Actuator Endpoints

Remember that actuator endpoints typically are prefixed with /actuator.

Actuator Endpoints

The following endpoints are provided by CAS: