Hello list.We are using cas server 4.0.0 and OpenLDAP, with password policy support enabled, limited to password quality settings sofar.
This morning we activated password expiration, by setting explicit values for pwdMaxAge and pwdExpireWarning attributes. Everything was working as expected during our tests, but we quickly ran into problems in production: whereas users whose password is about to expire are correctly redirected to a warning page with correct explanations, all other users are forcefuly redirected to the same warning page, without any explanations...
Actually, it turns out than as soon as at least one user gets a "successWithWarnings" state upon authentication, all others users also get this state, and get redirected to the "casLoginMessageView" View, even if actual message list is empty.
The problem is reproductible with this scenario: - userA has a valid password, and is not subject to expiration warnings - userB has a valid password, and is subject to expiration warnings Resulting in the following events sequence: a) userA logs successfully: he is redirected to target applicationb) userB logs successfully: he is redirected to CAS server warning page, with a correct message
c) userA logs successfully: he is redirected to CAS server warning page, without any message Restarting the tomcat server is enough to reset the situation.I initially supposed the issue was in the DefaultAccountStateHandler class, and was related to undefined vs empty list of warning messages. However, enabling debug log level doesn't show any significative difference between attmpt (a) and (c):
Attempt (a): DEBUG [...DefaultAccountStateHandler] - Account state not defined DEBUG [...DefaultAccountStateHandler] - Handling nullDEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined for null
DEBUG [...DefaultAccountStateHandler] - Account state warning not defined Attempt (c): DEBUG [...DefaultAccountStateHandler] - Account state not defined DEBUG [...DefaultAccountStateHandler] - Handling nullDEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined for null
DEBUG [...DefaultAccountStateHandler] - Account state warning not defined.ie, in both case, handleWarning() method is called with a null warning parameter, which is consistant with ldaptive documentation: AccountState.getWarning() returns null if no warnings exist.
I guess the issue is rather located in AuthenticationViaFormAction class, somehwere in this loop:
for (final Map.Entry<String, HandlerResult> entry : tgt.getAuthentication().getSuccesses().entrySet()) {
for (final Message message : entry.getValue().getWarnings()) { addWarningToContext(messageContext, message); } } if (this.hasWarningMessages) { return newEvent(SUCCESS_WITH_WARNINGS); } return newEvent(SUCCESS);I guess something is pushing an empty of undefined message in the context, which is enough to set hasWarningMessages flag.
Should I open a ticket ? -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31
smime.p7s
Description: Signature cryptographique S/MIME