If you want to override that method, you can modify the class, keeping the package and class name. The war overlay will replace the one provided in cas with yours.
Ray P.S. Remember to check for changes when you upgrade. ________________________________ From: [email protected] <[email protected]> on behalf of Y G <[email protected]> Sent: November 19, 2025 08:09 To: CAS Community <[email protected]> Subject: [cas-user] Security concern on using TGT generation rest request Hello everybody, To make sure not to leak any usernames existing in the system in case of a brute forcing to the TGT generation endpoint, I'm looking for a way to make sure same response is returned when generating TGT with: - a user that is not found on authentication sources - a user that his/her password is incorrect Currently, i see that you can customize the error messages with bundle messages like this: authenticationFailure.AccountNotFoundException=Credentials are rejected/invalid and authentication attempt has failed. authenticationFailure.FailedLoginException=Credentials are rejected/invalid and authentication attempt has failed. but even if i set same values in them, because of the exception message is shown to the response(prepared in here<https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/RestResourceUtils.java#L70-L71>), my case can not be achieved and i see this happenning: { "@class" : "java.util.HashMap", "authentication_exceptions" : [ "java.util.ArrayList", [ "Password does not match value on record.:Credentials are rejected/invalid and authentication attempt has failed." ] ] } { "@class" : "java.util.HashMap", "authentication_exceptions" : [ "java.util.ArrayList", [ "USERNAME not found with SQL query:Credentials are rejected/invalid and authentication attempt has failed." ] ] } you can guess which is invalid username or password. So my question is, is there an easy way for me to not display exception messages in the response texts? Currently, i'm trying to override the method createTicketGrantingTicket<https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/TicketGrantingTicketResource.java#L95-L110> and override the bean with the overridden one, but it's not written as overridable in here<https://github.com/apereo/cas/blob/master/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L177-L192>, so I went to the lengths of using a SmartInitializingSingleton(a Spring bean lifecycle callback) and replacing the post mapping using requestMappingHandlerMapping. Any ideas would be appreciated. Have a nice day, YG -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081FE235DBA646FFF03DC0CCED7A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
