Hello again,
Thank you for the reply,
With just overlaying
the org.apereo.cas.support.rest.resources.RestResourceUtils class and
changing the mapExceptionToMessage method not using the exception message,
i was able to do a quick POC and could remove it and make it uniform.
On my local, running the project via java .... -jar build/libs/cas.war and
testing the endpoint responses is just like what i wanted, but it did not
work when i tried the project with *gradle bootRun*. After editing the
*springboot.gradle
*file *bootRun task *like below(commenting the original classpath and
prioritizing the runtimeClasspath), it worked with that too
...
bootRun {
// original config from CAS Initializr
// classpath = configurations.bootRunConfig +
sourceSets.main.compileClasspath + sourceSets.main.runtimeClasspath
// for the overlay classes to work with this gradle task.
// You can drop compileClasspath — runtimeClasspath already covers it.
classpath = sourceSets.main.runtimeClasspath + configurations.bootRunConfig
...
Now i see this result on both of the cases:
{
"@class": "java.util.HashMap",
"authentication_exceptions": [
"java.util.ArrayList",
[
"Credentials are rejected/invalid and authentication attempt has
failed."
]
]
}
Now i will not need to make surgical changes using
*SmartInitializingSingleton *(using overlays for customizations is always
the better answer, what was i thinking :) )
Thank you and have a nice day.
19 Kasım 2025 Çarşamba tarihinde saat 22:26:43 UTC+3 itibarıyla Ray Bon
şunları yazdı:
> If you want to override that method, you can modify the class, keeping the
> package and class name.
> The war overlay will replace the one provided in cas with yours.
>
> Ray
>
> P.S. Remember to check for changes when you upgrade.
> ------------------------------
> *From:* [email protected] <[email protected]> on behalf of Y G <
> [email protected]>
> *Sent:* November 19, 2025 08:09
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] Security concern on using TGT generation rest
> request
>
> Hello everybody,
> To make sure not to leak any usernames existing in the system in case of a
> brute forcing to the TGT generation endpoint, I'm looking for a way to make
> sure same response is returned when generating TGT with:
> - a user that is not found on authentication sources
> - a user that his/her password is incorrect
>
> Currently, i see that you can customize the error messages with bundle
> messages like this:
>
> authenticationFailure.AccountNotFoundException=Credentials are
> rejected/invalid and authentication attempt has failed.
> authenticationFailure.FailedLoginException=Credentials are
> rejected/invalid and authentication attempt has failed.
>
> but even if i set same values in them, because of the exception message is
> shown to the response(prepared in here
> <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/RestResourceUtils.java#L70-L71>),
>
> my case can not be achieved and i see this happenning:
>
> {
> "@class" : "java.util.HashMap",
> "authentication_exceptions" : [ "java.util.ArrayList", [ "Password does
> not match value on record.:Credentials are rejected/invalid and
> authentication attempt has failed." ] ]
> }
>
> {
> "@class" : "java.util.HashMap",
> "authentication_exceptions" : [ "java.util.ArrayList", [ "USERNAME not
> found with SQL query:Credentials are rejected/invalid and authentication
> attempt has failed." ] ]
> }
>
> you can guess which is invalid username or password.
> So my question is, is there an easy way for me to not display exception
> messages in the response texts? Currently, i'm trying to override the
> method createTicketGrantingTicket
> <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest-core/src/main/java/org/apereo/cas/support/rest/resources/TicketGrantingTicketResource.java#L95-L110>
> and override the bean with the overridden one, but it's not written as
> overridable in here
> <https://github.com/apereo/cas/blob/master/support/cas-server-support-rest/src/main/java/org/apereo/cas/config/CasRestAutoConfiguration.java#L177-L192>,
>
> so I went to the lengths of using a *SmartInitializingSingleton(a Spring
> bean lifecycle callback) *and replacing the post mapping
> using requestMappingHandlerMapping.
>
> Any ideas would be appreciated.
>
> Have a nice day,
> YG
>
>
> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3dacc502-2c87-451c-87df-b9056d425f84n%40apereo.org.
