It's the only way currently - to re-define the bean with no-op impl, as the core config is tightly coupled to the *cas.authn.pm.core.password-policy-pattern* property condition: https://github.com/apereo/cas/blob/4fecb5ab2aca9d76a60144925b686001d3ac5cbc/support/cas-server-support-pm-webflow/src/main/java/org/apereo/cas/config/PasswordManagementWebflowConfiguration.java#L434
D. On Mon, Nov 3, 2025 at 8:39 AM Y G <[email protected]> wrote: > Hello everyone, > After upgrading to 7.3.0 (from 6.x) i see that users with weak password > are getting HTTP 500 with message "Detected weak password for user > *USERNAME* " on rest responses. And for the web ui side, i see that > they're forced to change their passwords. Users can get their passwords > changed regularly, so with and not to cut off these users' operations in > mind, i'am searching for a better solution to disable this feature. > > When checking out the source code, i see that this behaviour consists of > auto-registration of PasswordStrengthAuthenticationPostProcessor, and set > up when this configuration exists: > > cas.authn.pm.core.password-policy-pattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[$@$!%*?&])[A-Za-z\d$@$!%*?&]{8,10} > > Is there another way to configure this behaviour other than this: > > /** > * By default, CAS checks if given password is weak when authenticating a > user. This check is > * enabled by default when a regex value given to this config: > * `cas.authn.pm.core.password-policy-pattern`. It's defined in: > * {@link > PasswordManagementWebflowConfiguration.PasswordManagementPolicyConfiguration#passwordStrengthAuthenticationPostProcessor} > * and configured in: > * {@link > PasswordManagementWebflowConfiguration.PasswordManagementPolicyConfiguration#passwordManagementAuthenticationExecutionPlanConfigurer} > * > * So in order to disable this checks when authenticating users, > * i've overridden the bean like this: > */ > @Bean > @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT) > @ConditionalOnMissingBean(name = > "passwordStrengthAuthenticationPostProcessor") > public AuthenticationPostProcessor > passwordStrengthAuthenticationPostProcessor() { > // No-op post-processor > return AuthenticationPostProcessor.none(); > } > > > I think there should be another configuration that enables/disables this > post processor, other than the password-policy-pattern which is in-tandem > with password management's reset functionality. > > Thank you and have a nice day. > YG > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ecc0260-e0bb-418b-983e-fc6a3ef62201n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ecc0260-e0bb-418b-983e-fc6a3ef62201n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMpiYKja1Zujf2_RPheRBBAXmPkOOxogxswpZoei9c82edSvrw%40mail.gmail.com.
