WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Authentication Events
CAS provides a facility for consuming and recording authentication events into persistent storage. This functionality is similar to the records kept by the Audit log except that the functionality and storage format is controlled via CAS itself rather than the audit engine. Additionally, while audit data may be used for reporting and monitoring, events stored into storage via this functionality may later be assessed in a historical fashion to assess authentication requests, evaluate risk associated with them and take further action upon them. Events are primarily designed to be consumed by the developer and subsequent CAS modules, while audit data is targeted at deployers for end-user functionality and reporting.
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-events</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-core-events:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-core-events"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-core-events"
}
To learn how to configure database drivers, please see this guide.
The following settings and properties are available from the CAS configuration catalog:
cas.events.core.enabled=true
Whether event tracking and recording functionality should be enabled.
CAS Property:
|
1 |
cas.events.core.enabled=true |
1
cas:
events:
core:
enabled: "true"
1
java -Dcas.events.core.enabled="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_EVENTS_CORE_ENABLED="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.events.core.enabled="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.events.core.track-configuration-modifications=false
Whether CAS should track the underlying configuration store for changes. This depends on whether the store provides that sort of functionality. When running in standalone mode, this typically translates to CAS monitoring configuration files and reloading context conditionally if there are any changes.
org.apereo.cas.configuration.model.core.events.CoreEventsProperties.
CAS Property: cas.events.core.track-configuration-modifications
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.events.core.track-configuration-modifications=...
1
cas:
events:
core:
track-configuration-modifications: "..."
1
java -Dcas.events.core.track-configuration-modifications="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_EVENTS_CORE_TRACK_CONFIGURATION_MODIFICATIONS="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.events.core.track-configuration-modifications="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.events.core.track-geolocation=false
Whether geolocation should be tracked as part of collected authentication events. This of course requires consent from the user's browser to collect stats on location. Turning on this setting would prompt the browser to ask for user's consent to collect geo location directly. If geo location information is not available using this strategy, it may still be extracted and determined based on the client IP address at the time the event is being recorded and captured by CAS.
org.apereo.cas.configuration.model.core.events.CoreEventsProperties.
CAS Property: cas.events.core.track-geolocation
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.events.core.track-geolocation=...
1
cas:
events:
core:
track-geolocation: "..."
1
java -Dcas.events.core.track-geolocation="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_EVENTS_CORE_TRACK_GEOLOCATION="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.events.core.track-geolocation="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty
, cas.some-property
, cas.some_property
are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas
. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value
. The index [0]
is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
Recorded Data
The following metadata is captured and recorded by the event machinery when enabled:
Field | Description |
---|---|
principalId |
The principal id of the authenticated subject |
timestamp |
Timestamp of this event |
creationTime |
Timestamp of this authentication event |
clientIpAddress |
Client IP address |
serverIpAddress |
Server IP address |
agent |
User-Agent of the browser |
geoLatitude |
Geo Latitude of authentication request’s origin |
geoLongitude |
Geo Longitude of authentication request’s origin |
geoAccuracy |
Accuracy measure of the location |
geoTimestamp |
Timestamp of the geo location request |
GeoLocation
CAS attempts to record the geolocation properties of the authentication requests, by allowing the browser to ask for user’s consent. Should consent not be granted or geolocation not supported by the browser, CAS will ignore the geolocation data when it attempts to record the event. To learn more, please review this guide.
Actuator Endpoints
The following endpoints are provided by CAS:
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.jdbc.driver-class=org.hsqldb.jdbcDriver
The JDBC driver used to connect to the database.
CAS Property:
|
1 |
cas.monitor.endpoints.jdbc.driver-class=org.hsqldb.jdbcDriver |
1
cas:
monitor:
endpoints:
jdbc:
driver-class: "org.hsqldb.jdbcDriver"
1
java -Dcas.monitor.endpoints.jdbc.driver-class="org.hsqldb.jdbcDriver" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_DRIVER_CLASS="org.hsqldb.jdbcDriver"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.driver-class="org.hsqldb.jdbcDriver"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm=
The encoding algorithm to use such as MD5
. Relevant when the type used is DEFAULT
or GLIBC_CRYPT
. When used with PasswordEncoderTypes#PBKDF2
, it should be one of PBKDF2WithHmacSHA1
, PBKDF2WithHmacSHA256
or PBKDF2WithHmacSHA512
.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm=...
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
encoding-algorithm: "..."
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_ENCODING_ALGORITHM="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.type=NONE
Define the password encoder type to use. Type may be specified as blank or NONE
to disable password encoding. It may also refer to a fully-qualified class name that implements the Spring Security's PasswordEncoder
interface if you wish you define your own encoder.
-
NONE
: No password encoding (i.e. plain-text) takes place. -
DEFAULT
: Use theDefaultPasswordEncoder
of CAS. For message-digest algorithms viacharacter-encoding
andencoding-algorithm
. -
BCRYPT
: Use theBCryptPasswordEncoder
based on the strength provided and an optional secret. -
SCRYPT
: Use theSCryptPasswordEncoder
. -
PBKDF2
: Use thePbkdf2PasswordEncoder
based on the strength provided and an optional secret. -
STANDARD
: Use theStandardPasswordEncoder
based on the secret provided. -
SSHA
: Use theLdapShaPasswordEncoder
supports Ldap SHA and SSHA (salted-SHA). The values are base-64 encoded and have the label {SHA} or {SSHA} prepended to the encoded hash. -
GLIBC_CRYPT
: Use theGlibcCryptPasswordEncoder
based on theencoding-algorithm
, strength provided and an optional secret. -
org.example.MyEncoder
: An implementation ofPasswordEncoder
of your own choosing. -
file:///path/to/script.groovy
: Path to a Groovy script charged with handling password encoding operations.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.type
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.type=NONE
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
type: "NONE"
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.type="NONE" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_TYPE="NONE"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.type="NONE"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password=
The database connection password.
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.password
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password=...
1
cas:
monitor:
endpoints:
jdbc:
password: "..."
1
java -Dcas.monitor.endpoints.jdbc.password="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.url=jdbc:hsqldb:mem:cas-hsql-database
The database connection URL.
This setting supports the Spring Expression Language.
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.url
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.url=jdbc:hsqldb:mem:cas-hsql-database
1
cas:
monitor:
endpoints:
jdbc:
url: "jdbc:hsqldb:mem:cas-hsql-database"
1
java -Dcas.monitor.endpoints.jdbc.url="jdbc:hsqldb:mem:cas-hsql-database" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_URL="jdbc:hsqldb:mem:cas-hsql-database"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.url="jdbc:hsqldb:mem:cas-hsql-database"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.autocommit=false
The default auto-commit behavior of connections in the pool. Determined whether queries such as update/insert should be immediately executed without waiting for an underlying transaction.
CAS Property:
|
1 |
cas.monitor.endpoints.jdbc.autocommit=... |
1
cas:
monitor:
endpoints:
jdbc:
autocommit: "..."
1
java -Dcas.monitor.endpoints.jdbc.autocommit="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_AUTOCOMMIT="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.autocommit="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.batch-size=100
A non-zero value enables use of JDBC2 batch updates by Hibernate. e.g. recommended values between 5 and 30.
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.batch-size
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.batch-size=100
1
cas:
monitor:
endpoints:
jdbc:
batch-size: "100"
1
java -Dcas.monitor.endpoints.jdbc.batch-size="100" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_BATCH_SIZE="100"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.batch-size="100"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.connection-timeout=PT30S
Indicates the maximum number of milliseconds that the service can wait to obtain a connection.
This settings supports the
java.time.Duration
syntax [?].
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.connection-timeout
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.connection-timeout=PT30S
1
cas:
monitor:
endpoints:
jdbc:
connection-timeout: "PT30S"
1
java -Dcas.monitor.endpoints.jdbc.connection-timeout="PT30S" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_CONNECTION_TIMEOUT="PT30S"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.connection-timeout="PT30S"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.data-source-name=
Attempts to do a JNDI data source look up for the data source name specified. Will attempt to locate the data source object as is.
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.data-source-name
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.data-source-name=...
1
cas:
monitor:
endpoints:
jdbc:
data-source-name: "..."
1
java -Dcas.monitor.endpoints.jdbc.data-source-name="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_DATA_SOURCE_NAME="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.data-source-name="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.ddl-auto=update
Hibernate feature to automatically validate and exports DDL to the schema. By default, creates and drops the schema automatically when a session is starts and ends. Setting the value to validate
or none
may be more desirable for production, but any of the following options can be used:
-
validate
: Validate the schema, but make no changes to the database. -
update
: Update the schema. -
create
: Create the schema, destroying previous data. -
create-drop
: Drop the schema at the end of the session. -
none
: Do nothing.
create-drop
will result in the loss of all data as soon as CAS is started. For transient data like tickets this is probably not an issue, but in cases like the audit table important data could be lost. Using `update`, while safe for data, is confirmed to result in invalid database state. validate
or none
settings are likely the only safe options for production use. For more info, see this.
org.apereo.cas.configuration.model.core.monitor.JdbcSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jdbc.ddl-auto
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.ddl-auto=update
1
cas:
monitor:
endpoints:
jdbc:
ddl-auto: "update"
1
java -Dcas.monitor.endpoints.jdbc.ddl-auto="update" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_DDL_AUTO="update"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.ddl-auto="update"
cas.war
with an embedded server container and can be found in the build/libs
directory.
Control global properties that are relevant to Hibernate, when CAS attempts to employ and utilize database resources, connections and queries.
cas.jdbc.case-insensitive=false
When choosing physical table names, determine whether names should be considered case-insensitive. How can I configure this property?
CAS Property:
|
1 |
cas.jdbc.case-insensitive=... |
1
cas:
jdbc:
case-insensitive: "..."
1
java -Dcas.jdbc.case-insensitive="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_JDBC_CASE_INSENSITIVE="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.jdbc.case-insensitive="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.jdbc.gen-ddl=true
Whether to generate DDL after the EntityManagerFactory has been initialized creating/updating all relevant tables.
How can I configure this property?
CAS Property: cas.jdbc.gen-ddl
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.jdbc.gen-ddl=true
1
cas:
jdbc:
gen-ddl: "true"
1
java -Dcas.jdbc.gen-ddl="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_JDBC_GEN_DDL="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.jdbc.gen-ddl="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.jdbc.physical-table-names=
Indicate a physical table name to be used by the hibernate naming strategy in case table names need to be customized for the specific type of database. The key here indicates the CAS-provided table name and the value is the translate physical name for the database. If a match is not found for the CAS-provided table name, then that name will be used by default.
How can I configure this property?
CAS Property: cas.jdbc.physical-table-names
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.jdbc.physical-table-names=...
1
cas:
jdbc:
physical-table-names: "..."
1
java -Dcas.jdbc.physical-table-names="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_JDBC_PHYSICAL_TABLE_NAMES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.jdbc.physical-table-names="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.jdbc.show-sql=false
Whether SQL queries should be displayed in the console/logs.
How can I configure this property?
CAS Property: cas.jdbc.show-sql
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.jdbc.show-sql=...
1
cas:
jdbc:
show-sql: "..."
1
java -Dcas.jdbc.show-sql="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_JDBC_SHOW_SQL="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.jdbc.show-sql="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.character-encoding=UTF-8
The encoding algorithm to use such as 'UTF-8'. Relevant when the type used is
CAS Property:
|
1 |
cas.monitor.endpoints.jdbc.password-encoder.character-encoding=UTF-8 |
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
character-encoding: "UTF-8"
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.character-encoding="UTF-8" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_CHARACTER_ENCODING="UTF-8"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.character-encoding="UTF-8"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm=
The encoding algorithm to use such as MD5
. Relevant when the type used is DEFAULT
or GLIBC_CRYPT
. When used with PasswordEncoderTypes#PBKDF2
, it should be one of PBKDF2WithHmacSHA1
, PBKDF2WithHmacSHA256
or PBKDF2WithHmacSHA512
.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm=...
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
encoding-algorithm: "..."
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_ENCODING_ALGORITHM="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.encoding-algorithm="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.hash-length=16
When used by PasswordEncoderTypes#ARGON2
, it indicates the hash strength/length.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.hash-length
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.hash-length=16
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
hash-length: "16"
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.hash-length="16" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_HASH_LENGTH="16"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.hash-length="16"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.iterations=310000
When used by PasswordEncoderTypes#PBKDF2
, it indicates the required number of iterations.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.iterations
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.iterations=310000
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
iterations: "310000"
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.iterations="310000" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_ITERATIONS="310000"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.iterations="310000"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jdbc.password-encoder.secret=
Secret to use with PasswordEncoderTypes#STANDARD
, PasswordEncoderTypes#PBKDF2
, PasswordEncoderTypes#BCRYPT
, PasswordEncoderTypes#GLIBC_CRYPT
password encoders. Secret usually is an optional setting.
org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.
CAS Property: cas.monitor.endpoints.jdbc.password-encoder.secret
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jdbc.password-encoder.secret=...
1
cas:
monitor:
endpoints:
jdbc:
password-encoder:
secret: "..."
1
java -Dcas.monitor.endpoints.jdbc.password-encoder.secret="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JDBC_PASSWORD_ENCODER_SECRET="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jdbc.password-encoder.secret="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
If you need to design your own password encoding scheme where the type is specified as a fully qualified Java class name, the structure of the class would be similar to the following:
1
2
3
4
5
6
7
8
9
10
11
package org.example.cas;
import org.springframework.security.crypto.codec.*;
import org.springframework.security.crypto.password.*;
public class MyEncoder extends AbstractPasswordEncoder {
@Override
protected byte[] encode(CharSequence rawPassword, byte[] salt) {
return ...
}
}
If you need to design your own password encoding scheme where the type is specified as a path to a Groovy script, the structure of the script would be similar to the following:
1
2
3
4
5
6
7
8
9
10
11
12
import java.util.*
byte[] run(final Object... args) {
def (rawPassword,generatedSalt,logger,applicationContext) = args
logger.debug("Encoding password...")
return ...
}
Boolean matches(final Object... args) {
def (rawPassword,encodedPassword,logger,applicationContext) = args
logger.debug("Does match or not ?");
return ...
To prepare CAS to support and integrate with Apache Groovy, please review this guide.
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.ldap.base-dn=
Base DN to use. There may be scenarios where different parts of a single LDAP tree could be considered as base-dns. Rather than duplicating the LDAP configuration block for each individual base-dn, each entry can be specified and joined together using a special delimiter character. The user DN is retrieved using the combination of all base-dn and DN resolvers in the order defined. DN resolution should fail if multiple DNs are found. Otherwise the first DN found is returned. Usual syntax is:
CAS Property:
|
1 |
cas.monitor.endpoints.ldap.base-dn=... |
1
cas:
monitor:
endpoints:
ldap:
base-dn: "..."
1
java -Dcas.monitor.endpoints.ldap.base-dn="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_BASE_DN="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.base-dn="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.bind-credential=
The bind credential to use when connecting to LDAP.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.bind-credential
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.bind-credential=...
1
cas:
monitor:
endpoints:
ldap:
bind-credential: "..."
1
java -Dcas.monitor.endpoints.ldap.bind-credential="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_BIND_CREDENTIAL="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.bind-credential="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.bind-dn=
The bind DN to use when connecting to LDAP. LDAP connection configuration injected into the LDAP connection pool can be initialized with the following parameters:
-
bindDn/bindCredential
provided - Use the provided credentials to bind when initializing connections. -
bindDn/bindCredential
set to*
- Use a fast-bind strategy to initialize the pool. -
bindDn/bindCredential
set to blank - Skip connection initializing; perform operations anonymously. - SASL mechanism provided - Use the given SASL mechanism to bind when initializing connections.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.bind-dn
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.bind-dn=...
1
cas:
monitor:
endpoints:
ldap:
bind-dn: "..."
1
java -Dcas.monitor.endpoints.ldap.bind-dn="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_BIND_DN="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.bind-dn="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.ldap-url=
The LDAP url to the server. More than one may be specified, separated by space and/or comma.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.ldap-url
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.ldap-url=...
1
cas:
monitor:
endpoints:
ldap:
ldap-url: "..."
1
java -Dcas.monitor.endpoints.ldap.ldap-url="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_LDAP_URL="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.ldap-url="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.search-filter=
User filter to use for searching. Syntax is cn={user}
or cn={0}
.
file:/path/to/GroovyScript.groovy
to fully build the final filter template dynamically.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.search-filter
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.search-filter=...
1
cas:
monitor:
endpoints:
ldap:
search-filter: "..."
1
java -Dcas.monitor.endpoints.ldap.search-filter="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_SEARCH_FILTER="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.search-filter="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.allow-multiple-dns=false
Whether search/query results are allowed to match on multiple DNs, or whether a single unique DN is expected for the result.
CAS Property:
|
1 |
cas.monitor.endpoints.ldap.allow-multiple-dns=... |
1
cas:
monitor:
endpoints:
ldap:
allow-multiple-dns: "..."
1
java -Dcas.monitor.endpoints.ldap.allow-multiple-dns="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_ALLOW_MULTIPLE_DNS="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.allow-multiple-dns="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.allow-multiple-entries=false
Set if multiple Entries are allowed.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.allow-multiple-entries
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.allow-multiple-entries=...
1
cas:
monitor:
endpoints:
ldap:
allow-multiple-entries: "..."
1
java -Dcas.monitor.endpoints.ldap.allow-multiple-entries="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_ALLOW_MULTIPLE_ENTRIES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.allow-multiple-entries="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.binary-attributes=
Indicate the collection of attributes that are to be tagged and processed as binary attributes by the underlying search resolver.
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.binary-attributes
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.binary-attributes=...
1
cas:
monitor:
endpoints:
ldap:
binary-attributes: "..."
1
java -Dcas.monitor.endpoints.ldap.binary-attributes="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_BINARY_ATTRIBUTES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.binary-attributes="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.block-wait-time=PT3S
The length of time the pool will block. By default the pool will block indefinitely and there is no guarantee that waiting threads will be serviced in the order in which they made their request. This option should be used with a blocking connection pool when you need to control the exact number of connections that can be created
This settings supports the
java.time.Duration
syntax [?].
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.block-wait-time
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.block-wait-time=PT3S
1
cas:
monitor:
endpoints:
ldap:
block-wait-time: "PT3S"
1
java -Dcas.monitor.endpoints.ldap.block-wait-time="PT3S" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_BLOCK_WAIT_TIME="PT3S"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.block-wait-time="PT3S"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.ldap.connect-timeout=PT5S
Sets the maximum amount of time that connects will block.
This settings supports the
java.time.Duration
syntax [?].
org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.ldap.connect-timeout
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.ldap.connect-timeout=PT5S
1
cas:
monitor:
endpoints:
ldap:
connect-timeout: "PT5S"
1
java -Dcas.monitor.endpoints.ldap.connect-timeout="PT5S" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_LDAP_CONNECT_TIMEOUT="PT5S"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.ldap.connect-timeout="PT5S"
cas.war
with an embedded server container and can be found in the build/libs
directory.
LDAP Scriptable Search Filter
LDAP search filters can point to an external Groovy script to dynamically construct the final filter template.
The script itself may be designed as:
1
2
3
4
5
6
7
8
9
import org.ldaptive.*
import org.springframework.context.*
def run(Object[] args) {
def (filter,parameters,applicationContext,logger) = args
logger.info("Configuring LDAP filter")
filter.setFilter("uid=something")
}
The following parameters are passed to the script:
Parameter | Description |
---|---|
filter |
FilterTemplate to be updated by the script and used for the LDAP query. |
parameters |
Map of query parameters which may be used to construct the final filter. |
applicationContext |
Reference to the Spring ApplicationContext reference. |
logger |
The object responsible for issuing log messages such as logger.info(...) . |
To prepare CAS to support and integrate with Apache Groovy, please review this guide.
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.jaas.login-config=
JAAS login resource file.
CAS Property:
|
1 |
cas.monitor.endpoints.jaas.login-config=... |
1
cas:
monitor:
endpoints:
jaas:
login-config: "..."
1
java -Dcas.monitor.endpoints.jaas.login-config="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JAAS_LOGIN_CONFIG="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jaas.login-config="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jaas.login-context-name=
The login context name should coincide with a given index in the login config specified. This name is used as the index to the configuration specified in the login config property.
JAASTest { org.springframework.security.authentication.jaas.TestLoginModule required; };In the above example,
JAASTest
should be set as the context name.
org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jaas.login-context-name
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jaas.login-context-name=...
1
cas:
monitor:
endpoints:
jaas:
login-context-name: "..."
1
java -Dcas.monitor.endpoints.jaas.login-context-name="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JAAS_LOGIN_CONTEXT_NAME="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jaas.login-context-name="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.jaas.refresh-configuration-on-startup=true
If set, a call to Configuration#refresh()
will be made by #configureJaas(Resource)
method.
org.apereo.cas.configuration.model.core.monitor.JaasSecurityActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.jaas.refresh-configuration-on-startup
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.jaas.refresh-configuration-on-startup=true
1
cas:
monitor:
endpoints:
jaas:
refresh-configuration-on-startup: "true"
1
java -Dcas.monitor.endpoints.jaas.refresh-configuration-on-startup="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JAAS_REFRESH_CONFIGURATION_ON_STARTUP="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.jaas.refresh-configuration-on-startup="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.json.location=
The location of the resource. Resources can be URLs, or files found either on the classpath or outside somewhere in the file system. In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number ofinotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf : fs.inotify.max_user_instances = 256 . You can check the current value via cat /proc/sys/fs/inotify/max_user_instances . In situations and scenarios where CAS is able to automatically watch the underlying resource for changes and detect updates and modifications dynamically, you may be able to specify the following setting as either an environment variable or system property with a value of false to disable the resource watcher: org.apereo.cas.util.io.PathWatcherService .
CAS Property:
|
1 |
cas.monitor.endpoints.json.location=... |
1
cas:
monitor:
endpoints:
json:
location: "..."
1
java -Dcas.monitor.endpoints.json.location="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_JSON_LOCATION="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.json.location="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
Delete all CAS events in the event repository.
Endpoint Details: events
Once the endpoint is available, here is an example of how you could use it with curl
:
1
2
3
4
5
curl -k -u "username:password" \
-X DELETE \
-X "Content-Type: application/json" \
-X "Accept: application/json" \
"https://sso.example.org/cas/actuator/events?"
CAS, being a Spring-Boot application at heart, includes a number of endpoints to help you monitor and manage the server when it’s pushed to production. You can choose to manage and monitor the deployment using HTTP endpoints, referred to as actuators.
In essence, actuator endpoints bring production-ready features to CAS. Monitoring a running CAS instance, gathering metrics, understanding traffic or the state of our database becomes trivial with such endpoints. The main benefit of these endpoints is that we can get production grade tools without having to actually implement these features ourselves. Actuators are mainly used to expose operational information about the running application – health
, metrics
, etc. These are HTTP endpoints or JMX beans to enable us to interact with it.
Actuator endpoints are presented by CAS in two categories:
- Those that are owned and defined by the CAS project.
- Those that are owned and defined by third-party projects, frameworks and libraries such as Spring Boot.
Note that by default the only endpoints exposed over the web
are info
, status
, health
and configurationMetadata
.
Other endpoints need to be explicitly enabled and then
exposed over the web in CAS settings in order to allow access.
To enable and expose an actuator endpoint:
1
2
3
4
5
management.endpoint.events.enabled=true
management.endpoints.web.exposure.include=events
# Choose the proper security access level...
# cas.monitor.endpoints.endpoint.events.access=PERMIT
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.endpoint.events.access=DENY
Define the security access level of the endpoint. Available values are as follows:
CAS Property:
|
1 |
cas.monitor.endpoints.endpoint.events.access=DENY |
1
cas:
monitor:
endpoints:
endpoint:
events:
access: "DENY"
1
java -Dcas.monitor.endpoints.endpoint.events.access="DENY" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_ACCESS="DENY"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.access="DENY"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-authorities=
Required user authorities.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-authorities
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-authorities=...
1
cas:
monitor:
endpoints:
endpoint:
events:
required-authorities: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-authorities="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_AUTHORITIES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-authorities="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-ip-addresses=
Required IP addresses. CIDR ranges are accepted.
This settings supports regular expression patterns. [?].
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-ip-addresses
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-ip-addresses=...
cas:
monitor:
endpoints:
endpoint:
events:
required-ip-addresses: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-ip-addresses="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_IP_ADDRESSES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-ip-addresses="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-roles=
Required user roles.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-roles=...
cas:
monitor:
endpoints:
endpoint:
events:
required-roles: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.form-login-enabled=false
Control whether access to endpoints can be controlled via form-based login over the web via a special admin login endpoint.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.form-login-enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.form-login-enabled=...
1
cas:
monitor:
endpoints:
form-login-enabled: "..."
1
java -Dcas.monitor.endpoints.form-login-enabled="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_FORM_LOGIN_ENABLED="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.form-login-enabled="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
Endpoints may be mapped to custom arbitrary endpoints. For example,
to remap the health
endpoint to healthcheck
,
specify the following settings:
1
management.endpoints.web.path-mapping.health=healthcheck
management.endpoint.health.access=unrestricted
Permitted level of access for the health endpoint.
CAS Property:
|
1 |
management.endpoint.health.access=unrestricted |
management:
endpoint:
health:
access: "unrestricted"
1
java -Dmanagement.endpoint.health.access="unrestricted" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ACCESS="unrestricted"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.access="unrestricted"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.cache.time-to-live=0ms
Maximum time that a response can be cached.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.cache.time-to-live
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.cache.time-to-live=0ms
management:
endpoint:
health:
cache:
time-to-live: "0ms"
1
java -Dmanagement.endpoint.health.cache.time-to-live="0ms" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_CACHE_TIME_TO_LIVE="0ms"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.cache.time-to-live="0ms"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.enabled=true
Whether to enable the health endpoint.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.enabled=true
management:
endpoint:
health:
enabled: "true"
1
java -Dmanagement.endpoint.health.enabled="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ENABLED="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.enabled="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
Deprecation status is WARNING
with a replacement setting: management.endpoint.health.access
.
management.endpoint.health.group=
Health endpoint groups.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties.
CAS Property: management.endpoint.health.group
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.group=...
management:
endpoint:
health:
group: "..."
1
java -Dmanagement.endpoint.health.group="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_GROUP="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.group="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.logging.slow-indicator-threshold=10s
Threshold after which a warning will be logged for slow health indicators.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties$Logging.
CAS Property: management.endpoint.health.logging.slow-indicator-threshold
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.logging.slow-indicator-threshold=10s
management:
endpoint:
health:
logging:
slow-indicator-threshold: "10s"
1
java -Dmanagement.endpoint.health.logging.slow-indicator-threshold="10s" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_LOGGING_SLOW_INDICATOR_THRESHOLD="10s"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.logging.slow-indicator-threshold="10s"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.name=user
Default user name.
CAS Property:
|
1 |
spring.security.user.name=user |
spring:
security:
user:
name: "user"
1
java -Dspring.security.user.name="user" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_NAME="user"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.name="user"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.password=
Password for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.password
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.password=...
spring:
security:
user:
password: "..."
1
java -Dspring.security.user.password="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_PASSWORD="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.password="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.roles=
Granted roles for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.roles=...
spring:
security:
user:
roles: "..."
1
java -Dspring.security.user.roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
For basic authentication, the default username is casuser
. The password may be automatically generated at startup and displayed in CAS logs if it is left undefined in CAS settings. Additional sources may also be defined that would authenticate the request via JAAS, LDAP, JDBC, etc.
This option allows you to define a static list of users, passwords along with their role in a JSON file. The JSON file should be formatted as follows:
json
[
{
"username": "casuser",
"password": "{sha512}<hashed-password>",
"authorities": [ "ROLE_ADMIN" ]
}
]
Supported password encoding schemes are:
{sha512}
, {sha256}
, {bcrypt}
,
{noop}
, {pbkdf2}
, {scrypt}
,
{argon2}
.
Once endpoints are enabled and exposed, the security of all provided endpoints is handled by the Spring Security project. Protection and access to each endpoint is controlled via CAS settings individually such that you may decide a specific security level and method of authentication for each endpoint independently.
- If CAS is configured to NOT enforce endpoint security rules, then all endpoints are considered sensitive and require authentication, typically handled via basic authentication with master credentials defined in CAS settings.
- If CAS is configured to enforce endpoint security rules, then each endpoint may be tagged with a specific security rule allowing access via authorized IP addresses, basic credentials, roles and attributes, etc.
There is a special endpoint named defaults
which serves as a shortcut that
controls the security of all endpoints, if left undefined in CAS settings.
To enable additional logging, configure the log4j configuration file to add the following levels:
1
2
3
4
5
6
7
8
<Logger name="org.pac4j" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
<Logger name="org.springframework.security" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
Provide a report of CAS events in the event repository.
Endpoint Details: events
Endpoint Parameters
-
limit ()
: Limit the number of events to fetch
Once the endpoint is available, here is an example of how you could use it with curl
:
1
2
3
4
5
curl -k -u "username:password" \
-X GET \
-X "Content-Type: application/json" \
-X "Accept: application/json" \
"https://sso.example.org/cas/actuator/events?limit=...&"
CAS, being a Spring-Boot application at heart, includes a number of endpoints to help you monitor and manage the server when it’s pushed to production. You can choose to manage and monitor the deployment using HTTP endpoints, referred to as actuators.
In essence, actuator endpoints bring production-ready features to CAS. Monitoring a running CAS instance, gathering metrics, understanding traffic or the state of our database becomes trivial with such endpoints. The main benefit of these endpoints is that we can get production grade tools without having to actually implement these features ourselves. Actuators are mainly used to expose operational information about the running application – health
, metrics
, etc. These are HTTP endpoints or JMX beans to enable us to interact with it.
Actuator endpoints are presented by CAS in two categories:
- Those that are owned and defined by the CAS project.
- Those that are owned and defined by third-party projects, frameworks and libraries such as Spring Boot.
Note that by default the only endpoints exposed over the web
are info
, status
, health
and configurationMetadata
.
Other endpoints need to be explicitly enabled and then
exposed over the web in CAS settings in order to allow access.
To enable and expose an actuator endpoint:
1
2
3
4
5
management.endpoint.events.enabled=true
management.endpoints.web.exposure.include=events
# Choose the proper security access level...
# cas.monitor.endpoints.endpoint.events.access=PERMIT
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.endpoint.events.access=DENY
Define the security access level of the endpoint. Available values are as follows:
CAS Property:
|
1 |
cas.monitor.endpoints.endpoint.events.access=DENY |
1
cas:
monitor:
endpoints:
endpoint:
events:
access: "DENY"
1
java -Dcas.monitor.endpoints.endpoint.events.access="DENY" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_ACCESS="DENY"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.access="DENY"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-authorities=
Required user authorities.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-authorities
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-authorities=...
1
cas:
monitor:
endpoints:
endpoint:
events:
required-authorities: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-authorities="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_AUTHORITIES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-authorities="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-ip-addresses=
Required IP addresses. CIDR ranges are accepted.
This settings supports regular expression patterns. [?].
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-ip-addresses
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-ip-addresses=...
cas:
monitor:
endpoints:
endpoint:
events:
required-ip-addresses: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-ip-addresses="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_IP_ADDRESSES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-ip-addresses="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-roles=
Required user roles.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-roles=...
cas:
monitor:
endpoints:
endpoint:
events:
required-roles: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.form-login-enabled=false
Control whether access to endpoints can be controlled via form-based login over the web via a special admin login endpoint.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.form-login-enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.form-login-enabled=...
1
cas:
monitor:
endpoints:
form-login-enabled: "..."
1
java -Dcas.monitor.endpoints.form-login-enabled="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_FORM_LOGIN_ENABLED="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.form-login-enabled="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
Endpoints may be mapped to custom arbitrary endpoints. For example,
to remap the health
endpoint to healthcheck
,
specify the following settings:
1
management.endpoints.web.path-mapping.health=healthcheck
management.endpoint.health.access=unrestricted
Permitted level of access for the health endpoint.
CAS Property:
|
1 |
management.endpoint.health.access=unrestricted |
management:
endpoint:
health:
access: "unrestricted"
1
java -Dmanagement.endpoint.health.access="unrestricted" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ACCESS="unrestricted"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.access="unrestricted"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.cache.time-to-live=0ms
Maximum time that a response can be cached.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.cache.time-to-live
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.cache.time-to-live=0ms
management:
endpoint:
health:
cache:
time-to-live: "0ms"
1
java -Dmanagement.endpoint.health.cache.time-to-live="0ms" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_CACHE_TIME_TO_LIVE="0ms"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.cache.time-to-live="0ms"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.enabled=true
Whether to enable the health endpoint.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.enabled=true
management:
endpoint:
health:
enabled: "true"
1
java -Dmanagement.endpoint.health.enabled="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ENABLED="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.enabled="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
Deprecation status is WARNING
with a replacement setting: management.endpoint.health.access
.
management.endpoint.health.group=
Health endpoint groups.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties.
CAS Property: management.endpoint.health.group
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.group=...
management:
endpoint:
health:
group: "..."
1
java -Dmanagement.endpoint.health.group="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_GROUP="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.group="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.logging.slow-indicator-threshold=10s
Threshold after which a warning will be logged for slow health indicators.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties$Logging.
CAS Property: management.endpoint.health.logging.slow-indicator-threshold
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.logging.slow-indicator-threshold=10s
management:
endpoint:
health:
logging:
slow-indicator-threshold: "10s"
1
java -Dmanagement.endpoint.health.logging.slow-indicator-threshold="10s" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_LOGGING_SLOW_INDICATOR_THRESHOLD="10s"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.logging.slow-indicator-threshold="10s"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.name=user
Default user name.
CAS Property:
|
1 |
spring.security.user.name=user |
spring:
security:
user:
name: "user"
1
java -Dspring.security.user.name="user" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_NAME="user"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.name="user"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.password=
Password for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.password
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.password=...
spring:
security:
user:
password: "..."
1
java -Dspring.security.user.password="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_PASSWORD="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.password="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.roles=
Granted roles for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.roles=...
spring:
security:
user:
roles: "..."
1
java -Dspring.security.user.roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
For basic authentication, the default username is casuser
. The password may be automatically generated at startup and displayed in CAS logs if it is left undefined in CAS settings. Additional sources may also be defined that would authenticate the request via JAAS, LDAP, JDBC, etc.
This option allows you to define a static list of users, passwords along with their role in a JSON file. The JSON file should be formatted as follows:
json
[
{
"username": "casuser",
"password": "{sha512}<hashed-password>",
"authorities": [ "ROLE_ADMIN" ]
}
]
Supported password encoding schemes are:
{sha512}
, {sha256}
, {bcrypt}
,
{noop}
, {pbkdf2}
, {scrypt}
,
{argon2}
.
Once endpoints are enabled and exposed, the security of all provided endpoints is handled by the Spring Security project. Protection and access to each endpoint is controlled via CAS settings individually such that you may decide a specific security level and method of authentication for each endpoint independently.
- If CAS is configured to NOT enforce endpoint security rules, then all endpoints are considered sensitive and require authentication, typically handled via basic authentication with master credentials defined in CAS settings.
- If CAS is configured to enforce endpoint security rules, then each endpoint may be tagged with a specific security rule allowing access via authorized IP addresses, basic credentials, roles and attributes, etc.
There is a special endpoint named defaults
which serves as a shortcut that
controls the security of all endpoints, if left undefined in CAS settings.
To enable additional logging, configure the log4j configuration file to add the following levels:
1
2
3
4
5
6
7
8
<Logger name="org.pac4j" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
<Logger name="org.springframework.security" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
Upload CAS events and store them into the event repository.
Endpoint Details: events
Once the endpoint is available, here is an example of how you could use it with curl
:
1
2
3
4
5
curl -k -u "username:password" \
-X POST \
-X "Content-Type: application/json" \
-X "Accept: application/json" \
"https://sso.example.org/cas/actuator/events?"
CAS, being a Spring-Boot application at heart, includes a number of endpoints to help you monitor and manage the server when it’s pushed to production. You can choose to manage and monitor the deployment using HTTP endpoints, referred to as actuators.
In essence, actuator endpoints bring production-ready features to CAS. Monitoring a running CAS instance, gathering metrics, understanding traffic or the state of our database becomes trivial with such endpoints. The main benefit of these endpoints is that we can get production grade tools without having to actually implement these features ourselves. Actuators are mainly used to expose operational information about the running application – health
, metrics
, etc. These are HTTP endpoints or JMX beans to enable us to interact with it.
Actuator endpoints are presented by CAS in two categories:
- Those that are owned and defined by the CAS project.
- Those that are owned and defined by third-party projects, frameworks and libraries such as Spring Boot.
Note that by default the only endpoints exposed over the web
are info
, status
, health
and configurationMetadata
.
Other endpoints need to be explicitly enabled and then
exposed over the web in CAS settings in order to allow access.
To enable and expose an actuator endpoint:
1
2
3
4
5
management.endpoint.events.enabled=true
management.endpoints.web.exposure.include=events
# Choose the proper security access level...
# cas.monitor.endpoints.endpoint.events.access=PERMIT
The following settings and properties are available from the CAS configuration catalog:
cas.monitor.endpoints.endpoint.events.access=DENY
Define the security access level of the endpoint. Available values are as follows:
CAS Property:
|
1 |
cas.monitor.endpoints.endpoint.events.access=DENY |
1
cas:
monitor:
endpoints:
endpoint:
events:
access: "DENY"
1
java -Dcas.monitor.endpoints.endpoint.events.access="DENY" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_ACCESS="DENY"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.access="DENY"
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-authorities=
Required user authorities.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-authorities
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-authorities=...
1
cas:
monitor:
endpoints:
endpoint:
events:
required-authorities: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-authorities="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_AUTHORITIES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-authorities="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-ip-addresses=
Required IP addresses. CIDR ranges are accepted.
This settings supports regular expression patterns. [?].
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-ip-addresses
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-ip-addresses=...
cas:
monitor:
endpoints:
endpoint:
events:
required-ip-addresses: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-ip-addresses="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_IP_ADDRESSES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-ip-addresses="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.endpoint.events.required-roles=
Required user roles.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointProperties.
CAS Property: cas.monitor.endpoints.endpoint.events.required-roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.endpoint.events.required-roles=...
cas:
monitor:
endpoints:
endpoint:
events:
required-roles: "..."
1
java -Dcas.monitor.endpoints.endpoint.events.required-roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_ENDPOINT_[KEY]_REQUIRED_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.endpoint.events.required-roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
cas.monitor.endpoints.form-login-enabled=false
Control whether access to endpoints can be controlled via form-based login over the web via a special admin login endpoint.
org.apereo.cas.configuration.model.core.monitor.ActuatorEndpointsMonitorProperties.
CAS Property: cas.monitor.endpoints.form-login-enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
cas.monitor.endpoints.form-login-enabled=...
1
cas:
monitor:
endpoints:
form-login-enabled: "..."
1
java -Dcas.monitor.endpoints.form-login-enabled="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export CAS_MONITOR_ENDPOINTS_FORM_LOGIN_ENABLED="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --cas.monitor.endpoints.form-login-enabled="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
Endpoints may be mapped to custom arbitrary endpoints. For example,
to remap the health
endpoint to healthcheck
,
specify the following settings:
1
management.endpoints.web.path-mapping.health=healthcheck
management.endpoint.health.access=unrestricted
Permitted level of access for the health endpoint.
CAS Property:
|
1 |
management.endpoint.health.access=unrestricted |
management:
endpoint:
health:
access: "unrestricted"
1
java -Dmanagement.endpoint.health.access="unrestricted" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ACCESS="unrestricted"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.access="unrestricted"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.cache.time-to-live=0ms
Maximum time that a response can be cached.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.cache.time-to-live
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.cache.time-to-live=0ms
management:
endpoint:
health:
cache:
time-to-live: "0ms"
1
java -Dmanagement.endpoint.health.cache.time-to-live="0ms" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_CACHE_TIME_TO_LIVE="0ms"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.cache.time-to-live="0ms"
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.enabled=true
Whether to enable the health endpoint.
org.springframework.boot.actuate.health.HealthEndpoint.
CAS Property: management.endpoint.health.enabled
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.enabled=true
management:
endpoint:
health:
enabled: "true"
1
java -Dmanagement.endpoint.health.enabled="true" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_ENABLED="true"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.enabled="true"
cas.war
with an embedded server container and can be found in the build/libs
directory.
Deprecation status is WARNING
with a replacement setting: management.endpoint.health.access
.
management.endpoint.health.group=
Health endpoint groups.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties.
CAS Property: management.endpoint.health.group
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.group=...
management:
endpoint:
health:
group: "..."
1
java -Dmanagement.endpoint.health.group="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_GROUP="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.group="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
management.endpoint.health.logging.slow-indicator-threshold=10s
Threshold after which a warning will be logged for slow health indicators.
org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties$Logging.
CAS Property: management.endpoint.health.logging.slow-indicator-threshold
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
management.endpoint.health.logging.slow-indicator-threshold=10s
management:
endpoint:
health:
logging:
slow-indicator-threshold: "10s"
1
java -Dmanagement.endpoint.health.logging.slow-indicator-threshold="10s" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export MANAGEMENT_ENDPOINT_HEALTH_LOGGING_SLOW_INDICATOR_THRESHOLD="10s"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --management.endpoint.health.logging.slow-indicator-threshold="10s"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.name=user
Default user name.
CAS Property:
|
1 |
spring.security.user.name=user |
spring:
security:
user:
name: "user"
1
java -Dspring.security.user.name="user" -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_NAME="user"
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.name="user"
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.password=
Password for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.password
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.password=...
spring:
security:
user:
password: "..."
1
java -Dspring.security.user.password="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_PASSWORD="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.password="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
spring.security.user.roles=
Granted roles for the default user name.
org.springframework.boot.autoconfigure.security.SecurityProperties$User.
CAS Property: spring.security.user.roles
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
.properties
files:
1
spring.security.user.roles=...
spring:
security:
user:
roles: "..."
1
java -Dspring.security.user.roles="..." -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory. Note the placement of the system property which must be
specified before the CAS web application is launched.
1
2
3
export SPRING_SECURITY_USER_ROLES="..."
java -jar build/libs/cas.war
cas.war
with an embedded server container and can be found in the build/libs
directory.
1
java -jar build/libs/cas.war --spring.security.user.roles="..."
cas.war
with an embedded server container and can be found in the build/libs
directory.
For basic authentication, the default username is casuser
. The password may be automatically generated at startup and displayed in CAS logs if it is left undefined in CAS settings. Additional sources may also be defined that would authenticate the request via JAAS, LDAP, JDBC, etc.
This option allows you to define a static list of users, passwords along with their role in a JSON file. The JSON file should be formatted as follows:
json
[
{
"username": "casuser",
"password": "{sha512}<hashed-password>",
"authorities": [ "ROLE_ADMIN" ]
}
]
Supported password encoding schemes are:
{sha512}
, {sha256}
, {bcrypt}
,
{noop}
, {pbkdf2}
, {scrypt}
,
{argon2}
.
Once endpoints are enabled and exposed, the security of all provided endpoints is handled by the Spring Security project. Protection and access to each endpoint is controlled via CAS settings individually such that you may decide a specific security level and method of authentication for each endpoint independently.
- If CAS is configured to NOT enforce endpoint security rules, then all endpoints are considered sensitive and require authentication, typically handled via basic authentication with master credentials defined in CAS settings.
- If CAS is configured to enforce endpoint security rules, then each endpoint may be tagged with a specific security rule allowing access via authorized IP addresses, basic credentials, roles and attributes, etc.
There is a special endpoint named defaults
which serves as a shortcut that
controls the security of all endpoints, if left undefined in CAS settings.
To enable additional logging, configure the log4j configuration file to add the following levels:
1
2
3
4
5
6
7
8
<Logger name="org.pac4j" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
<Logger name="org.springframework.security" level="debug" additivity="false">
<AppenderRef ref="console" />
<AppenderRef ref="file" />
</Logger>
Storage
The following options may be used to store events in CAS.
Storage | Description |
---|---|
MongoDb | See this guide. |
DynamoDb | See this guide. |
Redis | See this guide. |
JPA | See this guide. |
InfluxDb | See this guide. |
Memory | See this guide. |