Hello everybody, To make sure not to leak any usernames existing in the system in case of a brute forcing to the TGT generation endpoint, I'm looking for a way to make sure same response is returned when generating TGT with: - a user that is not found on authentication sources - a user that his/her password is incorrect
Currently, i see that you can customize the error messages with bundle messages like this: authenticationFailure.AccountNotFoundException=Credentials are rejected/invalid and authentication attempt has failed. authenticationFailure.FailedLoginException=Credentials are rejected/invalid and authentication attempt has failed. but even if i set same values in them, because of the exception message is shown to the response(prepared in here <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/RestResourceUtils.java#L70-L71>), my case can not be achieved and i see this happenning: { "@class" : "java.util.HashMap", "authentication_exceptions" : [ "java.util.ArrayList", [ "Password does not match value on record.:Credentials are rejected/invalid and authentication attempt has failed." ] ] } { "@class" : "java.util.HashMap", "authentication_exceptions" : [ "java.util.ArrayList", [ "USERNAME not found with SQL query:Credentials are rejected/invalid and authentication attempt has failed." ] ] } you can guess which is invalid username or password. So my question is, is there an easy way for me to not display exception messages in the response texts? Currently, i'm trying to override the method createTicketGrantingTicket <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/TicketGrantingTicketResource.java#L95-L110> and override the bean with the overridden one, but it's not written as overridable in here <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L177-L192>, so I went to the lengths of using a *SmartInitializingSingleton(a Spring bean lifecycle callback) *and replacing the post mapping using requestMappingHandlerMapping. Any ideas would be appreciated. Have a nice day, YG -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org.
