This is already fixed in master. The problem is here: https://github.com/Jasig/cas/blob/4.0.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/AuthenticationViaFormAction.java
The "hasWarningMessages", once set to true, will always remain true. Your workaround work now would be to download the above file into your overlay and reset the flag to false before each attempt. -----Original Message----- From: Guillaume Rousse [mailto:[email protected]] Sent: Monday, March 23, 2015 9:02 AM To: [email protected] Subject: [cas-user] Troubles with password policy: all successful authentications get successWithWarnings state Hello list. We are using cas server 4.0.0 and OpenLDAP, with password policy support enabled, limited to password quality settings sofar. This morning we activated password expiration, by setting explicit values for pwdMaxAge and pwdExpireWarning attributes. Everything was working as expected during our tests, but we quickly ran into problems in production: whereas users whose password is about to expire are correctly redirected to a warning page with correct explanations, all other users are forcefuly redirected to the same warning page, without any explanations... Actually, it turns out than as soon as at least one user gets a "successWithWarnings" state upon authentication, all others users also get this state, and get redirected to the "casLoginMessageView" View, even if actual message list is empty. The problem is reproductible with this scenario: - userA has a valid password, and is not subject to expiration warnings - userB has a valid password, and is subject to expiration warnings Resulting in the following events sequence: a) userA logs successfully: he is redirected to target application b) userB logs successfully: he is redirected to CAS server warning page, with a correct message c) userA logs successfully: he is redirected to CAS server warning page, without any message Restarting the tomcat server is enough to reset the situation. I initially supposed the issue was in the DefaultAccountStateHandler class, and was related to undefined vs empty list of warning messages. However, enabling debug log level doesn't show any significative difference between attmpt (a) and (c): Attempt (a): DEBUG [...DefaultAccountStateHandler] - Account state not defined DEBUG [...DefaultAccountStateHandler] - Handling null DEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined for null DEBUG [...DefaultAccountStateHandler] - Account state warning not defined Attempt (c): DEBUG [...DefaultAccountStateHandler] - Account state not defined DEBUG [...DefaultAccountStateHandler] - Handling null DEBUG [...DefaultAccountStateHandler] - No LDAP error mapping defined for null DEBUG [...DefaultAccountStateHandler] - Account state warning not defined .ie, in both case, handleWarning() method is called with a null warning parameter, which is consistant with ldaptive documentation: AccountState.getWarning() returns null if no warnings exist. I guess the issue is rather located in AuthenticationViaFormAction class, somehwere in this loop: for (final Map.Entry<String, HandlerResult> entry : tgt.getAuthentication().getSuccesses().entrySet()) { for (final Message message : entry.getValue().getWarnings()) { addWarningToContext(messageContext, message); } } if (this.hasWarningMessages) { return newEvent(SUCCESS_WITH_WARNINGS); } return newEvent(SUCCESS); I guess something is pushing an empty of undefined message in the context, which is enough to set hasWarningMessages flag. Should I open a ticket ? -- Guillaume Rousse INRIA, Direction des systèmes d'information Domaine de Voluceau Rocquencourt - BP 105 78153 Le Chesnay Tel: 01 39 63 58 31 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
