All, Noticing interesting default behavior for logins with expired passwords, that are also using incorrect passwords (neither expired or valid). The user is still transitioned to the casExpiredPassView.url
Is this expected behavior for users entering bad passwords? I suppose this behavior could allow for users attempting to scrape user logins for expired users as part of a larger vector of attack (social, etc.) Is there a preferred method to correct this behavior as to not reveal the existence of an account when an incorrect password is used? I have not checked this behavior for the password warning or other āhandleAuthenticationFailureā transitions. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
