Monitoring / Statistics
The following endpoints are available and secured by CAS:
URL | Description |
---|---|
/status/dashboard |
The control panel to CAS server functionality and management. |
/status |
Monitor CAS status and other underlying components. |
/status/sso |
Describes if there exists an active SSO session for this request tied to this browser session. |
/status/swf |
Describes the current configured state of CAS webflow in JSON. |
/status/stats |
Visual representation of CAS statistics with graphs and charts, etc. |
/status/logging |
Monitor CAS logs in a streaming fashion and review the audit log. |
/status/config |
Visual representation of application properties and configuration. |
/status/ssosessions |
Reports active SSO sessions. Examine attributes, services and log users out. |
/status/services |
Reports the collection of applications registered with CAS. |
/status/trustedDevs |
Reports on the registered trusted devices/browsers. |
/status/authnEvents |
When enabled, reports on the events captured by CAS. |
/status/attrresolution |
Examine resolution of user attributes via CAS attribute resolution. |
The following endpoints are secured and available by Spring Boot actuators:
URL | Description |
---|---|
/status/autoconfig |
Describes how the CAS application context is auto-configured. |
/status/beans |
Displays all CAS application context internal Spring beans. |
/status/configprops |
List of internal configuration properties. |
/status/dump |
Produces a thread dump for the running CAS server. |
/status/env |
Produces a collection of all application properties. |
/status/health |
Reports back general health status of the system, produced by various monitors. |
/status/info |
CAS version information and other system traits. |
/status/metrics |
Runtime metrics and stats. |
/status/mappings |
Describes how requests are mapped and handled by CAS. |
/status/shutdown |
Shut down the application via a POST . Disabled by default. |
/status/restart |
Restart the application via a POST . Disabled by default. |
/status/refresh |
Refresh the application configuration via a POST to let components reload and recognize new values. |
Actuator endpoints provided by Spring Boot can also be visually managed and monitored via the Spring Boot Administration Server.
Security
All urls that are scoped to the /status
endpoint are modeled after Spring Boot’s own actuator endpoints
and by default are considered sensitive
. By default, no endpoint is enabled or allowed access.
Endpoints may go through multiple levels and layers of security described here:
- All endpoints may be globally considered
sensitive
. - Spring Boot’s actuator endpoints may be individually marked as
sensitive
orenabled
. - Similarly, CAS endpoints may be individually marked as
sensitive
orenabled
. - In the event that access to an endpoint is allowed, (i.e endpoint is enabled and is not marked as sensitive), CAS will attempt
to control access by enforcing rules via IP address matching, delegating to itself, etc. The
/status
endpoint is always protected by an IP pattern. The other administrative endpoints however can optionally be protected by the CAS server. Failing to secure these endpoints via a CAS instance will have CAS fallback onto the IP range.- If you decide to protect other administrative endpoints via CAS itself, you will need to provide a reference to the list of authorized users in the CAS configuration. You may also enforce authorization rules via Service-based Access Strategy features of CAS.
Allowing access to the /status
endpoint
via IP address matching needs to be very carefully designed, specially in cases where CAS is deployed behind a proxy
such as Apache. Be sure to test access rules and policies carefully or otherwise devise your own.
To see the relevant list of CAS properties, please review this guide.
Spring Security
Alternatively, you may design the security of CAS /status
endpoints to take advantage
of Spring Security.
After all, that’s what sensitive
is designed to do. Using this model and via CAS settings, you get to define
the authentication scheme (i.e. BASIC
) as well
as the protected/ignored paths and pre-defined “master” username/password that is used for authentication.
If the password is left blank, a random password will be generated/printed in the logs by default.
Besides the master credentials, backend authentication support via LDAP and JDBC storage facilities are also available.
Support is enabled by including the following module in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp-config-security</artifactId>
<version>${cas.version}</version>
</dependency>
To see the relevant list of CAS properties, please review this guide.
Monitors
Monitors allow you to watch the internal state of a given CAS component. See this guide for more info.
Distributed Tracing
Support for distributed tracing of requests is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-sleuth</artifactId>
<version>${cas.version}</version>
</dependency>
For most users Sleuth should be invisible, and all interactions with external systems should be instrumented automatically.
Trace data is captured automatically and passed along to Zipkin, which helps gather timing data needed to troubleshoot latency problems.
To see the relevant list of CAS properties, please review this guide.
Troubleshooting
To enable additional logging, modify the logging configuration file to add the following:
1
2
3
4
<AsyncLogger name="org.springframework.cloud" level="debug" additivity="false">
<AppenderRef ref="casConsole"/>
<AppenderRef ref="casFile"/>
</AsyncLogger>
Metrics
Metrics allow to gain insight into the running CAS software, and provide ways to measure the behavior of critical components. See this guide for more info.