Configuration Server

As your CAS deployment moves through the deployment pipeline from dev to test and into production you can manage the configuration between those environments and be certain that applications have everything they need to run when they migrate through the use of an external configuration server provided by the Spring Cloud project. As an alternative, you may decide to run CAS in a standalone mode removing the need for external configuration server deployment, though at the cost of losing features and capabilities relevant for a cloud deployment.

Configuration Profiles

The CAS server web application responds to the following strategies that dictate how settings should be consumed.

Standalone

This is the default configuration mode which indicates that CAS does NOT require connections to an external configuration server and will run in an embedded standalone mode. When this option is turned on, CAS by default will attempt to locate settings and properties inside a given directory and otherwise falls back to using /etc/cas/config as the configuration directory. You may instruct CAS to use this setting via the methods outlined here.

Similar to the Spring Cloud external configuration server, the contents of this directory include (cas|application).(yml|properties) files that can be used to control CAS behavior. Also, note that this configuration directory can be monitored by CAS to auto-pick up changes and refresh the application context as needed. Please review this guide to learn more.

Note that by default, all CAS settings and configuration is controlled via the embedded application.properties file in the CAS server web application. There is also an embedded application.yml file that allows you to override all defaults if you wish to ship the configuration inside the main CAS web application and not rely on externalized configuration files. If you prefer properties to yaml, then application-standalone.properties will override application.properties as well.

Settings found in external configuration files are and will be able to override the defaults provided by CAS. The naming of the configuration files inside the CAS configuration directory follows the below pattern:

  • An application.(properties|yml|yaml) file is always loaded, if found.
  • Settings located inside properties|yml|yaml files whose name matches the value of spring.application.name are loaded (i.e cas.properties) Note: spring.application.name defaults to uppercase CAS but the lowercase name will also be loaded.
  • Settings located inside properties|yml|yaml files whose name matches the value of spring.profiles.active are loaded (i.e ldap.properties).
  • Profile-specific application properties outside of your packaged web application (application-{profile}.properties|yml|yaml) This allows you to, if needed, split your settings into multiple property files and then locate them by assigning their name to the list of active profiles (i.e. spring.profiles.active=standalone,testldap,stagingMfa)

Configuration files are loaded in the following order where spring.profiles.active=standalone,profile1,profile2. Note that the last configuration file loaded will override any duplicate properties from configuration files loaded earlier:

  1. application.(properties|yml|yaml)
  2. (lower case) spring.application.name.(properties|yml|yaml)
  3. spring.application.name.(properties|yml|yaml)
  4. application-standalone.(properties|yml|yaml)
  5. standalone.(properties|yml|yaml)
  6. application-profile1.(properties|yml|yaml)
  7. profile1.(properties|yml|yaml)
  8. application-profile2.(properties|yml|yaml)
  9. profile2.(properties|yml|yaml)

If two configuration files with same base name and different extensions exist, they are processed in the order of properties, yml and then yaml and then groovy (last one processed wins where duplicate properties exist). These external configuration files will override files located in the classpath (e.g. files from src/main/resources in your CAS overlay that end up in WEB-INF/classes) but the internal files are loaded per the Spring Boot rules which differ from the CAS standalone configuration rules described here (e.g. <profile>.properties would not be loaded from classpath but application-<profile>.properties would).

Handling Overrides

Remember

You are advised to not overlay or otherwise modify the built in application.properties or bootstrap.properties files. This will only complicate and weaken your deployment. Instead try to comply with the CAS defaults and bootstrap CAS as much as possible via the defaults, override via application.yml, application-standalone.properties or use the outlined strategies. Likewise, try to instruct CAS to locate configuration files external to its own. Premature optimization will only lead to chaos.

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.

The configuration settings listed below are tagged as Third Party in the CAS configuration metadata. This flag indicates that the configuration setting is not controlled, owned or managed by the CAS ecosystem, and affects functionality that is offered by a third-party library, such as Spring Boot or Spring Cloud to CAS. For additional info, you might have to visit the third-party source to find more details.

  • spring.cloud.config.allow-override=true
  • Flag to indicate that #isOverrideSystemProperties() systemPropertiesOverride can be used. Set to false to prevent users from changing the default accidentally. Default true.

  • spring.cloud.config.override-none=false
  • Flag to indicate that when #setAllowOverride(boolean) allowOverride is true, external properties should take lowest priority and should not override any existing property sources (including local config files). Default false.

  • spring.cloud.config.override-system-properties=true
  • Flag to indicate that the external properties should override system properties. Default true.

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed below is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc. When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.S ettings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system property SKIP_CONFIG_VALIDATION that should be set to true. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    Spring Cloud

    CAS is able to use an external and central configuration server to obtain state and settings. The configuration server provides a very abstract way for CAS (and all of its other clients) to obtain settings from a variety of sources, such as file system, git or svn repositories, MongoDb databases, Vault, etc. The beauty of this solution is that to the CAS web application server, it matters not where settings come from and it has no knowledge of the underlying property sources. It talks to the configuration server to locate settings and move on.

    Configuration Security

    This is a very good strategy to ensure configuration settings are not scattered around various deployment environments leading to a more secure deployment. The configuration server need not be exposed to the outside world, and it can safely and secure be hidden behind firewalls, etc allowing access to only authorized clients such as the CAS server web application.

    A full comprehensive guide is provided by the Spring Cloud project.

    Overlay

    The configuration server itself, similar to CAS, can be deployed using the CAS Initializr.

    implementation "org.apereo.cas:cas-server-webapp-config-server:${project.'cas.version'}"
    <dependency>
      <groupId>org.apereo.cas</groupId>
      <artifactId>cas-server-webapp-config-server</artifactId>
      <version>${cas.version}</version>
    </dependency>
    dependencyManagement {
      imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
      }
    }
    
    dependencies {  
      implementation "org.apereo.cas:cas-server-webapp-config-server"
    }

    In addition to the strategies outlined here, the configuration server may load CAS settings and properties via the following order and mechanics:

    1. Profile-specific application properties outside of your packaged web application (application-{profile}.properties|yml)
    2. Profile-specific application properties packaged inside your jar (application-{profile}.properties|yml)
    3. Application properties outside of your packaged jar (application.properties|yml).
    4. Application properties packaged inside your jar (application.properties|yml).

    The configuration and behavior of the configuration server is also controlled by its own src/main/resources/bootstrap.properties file. By default, it runs under port 8888 at /casconfigserver inside an embedded Apache Tomcat server whose endpoints are protected with basic authentication where the default credentials are casuser and an auto-generated password defined in src/main/resources/application.properties.

    Furthermore, by default it runs under a native profile described below.

    The following endpoints are secured and exposed by the configuration server:

    Parameter Description
    /encrypt Accepts a POST to encrypt CAS configuration settings.
    /decrypt Accepts a POST to decrypt CAS configuration settings.
    /actuator/refresh Accepts a POST and attempts to refresh the internal state of configuration server.
    /actuator/env Accepts a GET and describes all configuration sources of the configuration server.
    /actuator/cas/default Describes what the configuration server knows about the default settings profile.
    /actuator/cas/native Describes what the configuration server knows about the native settings profile.

    Once you have the configuration server deployed and assuming the credentials used to secure the configuration server match the example below, you can observe the collection of settings via:

    1
    
    curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/cas/native
    

    Assuming actuator endpoints are enabled in the configuration, you can also observe the collection of property sources that provide settings to the configuration server:

    1
    
    curl -u casuser:Mellon https://config.server.url:8888/casconfigserver/actuator/env
    
    Actuator Endpoints

    Remember that actuator endpoints typically are prefixed with /actuator.

    Clients and Consumers

    To let the CAS server web application (or any other client for that matter) talk to the configuration server, the following settings need to be applied to CAS’ own src/main/resources/bootstrap.properties file. The properties to configure the CAS server web application as the client of the configuration server must necessarily be read in before the rest of the application’s configuration is read from the configuration server, during the bootstrap phase.

    1
    2
    3
    4
    
    spring.cloud.config.uri=https://casuser:Mellon@config.server.url:8888/casconfigserver
    spring.cloud.config.profile=native
    spring.cloud.config.enabled=true
    spring.profiles.active=default
    

    Remember that configuration server serves property sources from /{name}/{profile}/{label} to applications, where the default bindings in the client app are the following:

    1
    2
    3
    
    "name" = ${spring.application.name}
    "profile" = ${spring.profiles.active}
    "label" = "master"
    

    All of them can be overridden by setting spring.cloud.config.* (where * is name, profile or label). The “label” is useful for rolling back to previous versions of configuration; with the default Config Server implementation it can be a git label, branch name or commit id. Label can also be provided as a comma-separated list, in which case the items in the list are tried on-by-one until one succeeds. This can be useful when working on a feature branch, for instance, when you might want to align the config label with your branch, but make it optional (e.g. spring.cloud.config.label=myfeature,develop).

    To lean more about how CAS allows you to reload configuration changes, please review this guide.

    Profiles

    Various profiles exist to determine how configuration server should retrieve properties and settings.

    Native

    The server is configured by default to load cas.(properties|yml) files from an external location that is /etc/cas/config. This location is constantly monitored by the server to detect external changes. Note that this location needs to exist, and does not require any special permissions or structure. The name of the configuration file that goes inside this directory needs to match the spring.application.name (i.e. cas.properties).

    The following settings and properties are available from the CAS configuration catalog:

    The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.

    The configuration settings listed below are tagged as Third Party in the CAS configuration metadata. This flag indicates that the configuration setting is not controlled, owned or managed by the CAS ecosystem, and affects functionality that is offered by a third-party library, such as Spring Boot or Spring Cloud to CAS. For additional info, you might have to visit the third-party source to find more details.

  • spring.cloud.config.server.native.add-label-locations=true
  • Flag to determine whether label locations should be added.

  • spring.cloud.config.server.native.default-label=master
  • spring.cloud.config.server.native.fail-on-error=false
  • Flag to determine how to handle exceptions during decryption (default false).

  • spring.cloud.config.server.native.order=
  • spring.cloud.config.server.native.search-locations=
  • Locations to search for configuration files. Defaults to the same as a Spring Boot app so [classpath:/,classpath:/config/,file:./,file:./config/].

  • spring.cloud.config.server.native.version=
  • Version string to be reported for native repository.