Thanks for your response Scott. I accomplished what I wanted and thought I would share. I couldn't find a great way to handle the LDAP error codes, so I ended up extending the AbstractLdapUsernamePasswordAuthenticationHandler, AuthenticatedLdapContextSource, and FastBindLdaputhenticationHandler. Then I created my own exceptions with error codes. My AuthenticatedLdapContextSource checks the ldap errors and throws the correct exception. These eventually trickle up the the AuthenticationViaFormAction where their codes are put in the error context. Then I mapped these error codes to a message in the messages.properties file and now the login page will show a different error if someone's password is expired, their password has to be reset, etc. So it is accomplishing what I wanted. (The other good side to this is that the RESTful API sends this custom error code across the wire also.) So I have been able to get it to do what I wanted, but I regret that the only way I could make it work was to "redo" these 3 classes (someone else could probably have found a better way).
Anyways, I will try to put in this JIRA request. On Thu, Sep 18, 2008 at 8:11 AM, Scott Battaglia <[EMAIL PROTECTED]>wrote: > On Fri, Sep 12, 2008 at 6:13 PM, Ryan Andreasen <[EMAIL PROTECTED]>wrote: > >> >> Our organization wants to be able to expire passwords, lock out accounts, >> etc. I have seen some discussion about expiring passwords but haven't >> found >> a clear cut way of handling them. Currently I am using the >> FastBindLDAPAuthenticator to do our ldap bind. This is working great, >> except that if the login fails for any reason, the login page is shown >> again. I need to be able to hook into the ldap exception coming back from >> the ldap bind, and depending on the ldap error code show them a different >> page or else the login page again. >> >> I have found that the actual ldap exception (NamingException) gets handled >> in the org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource >> class. However, it eats the NamingException and just throws a >> DataAccessResourceFailureException. This exception percolates up to the >> FastBindLdapAuthenticationHandler, and then back up (eventually) to the >> AuthenticationViaFormAction class which populates the ErrorInstance, and >> sets the spring Event to error. So I think I know how the current >> process >> is working and would like to get everyone's idea on the best way to hook >> in >> what I want. > > > It doesn't necessarily eat it, they should still be available in the chain > (i.e. exception.getCause().getCause()). But yes, its not readily obvious > where it is. > >> >> >> Another question I had is how do you get the Errors (that are set in >> AuthenticationViaFormAction) in a different class? Is there a way to get >> at >> them? > > > I believe by default the AuthenticationViaForm class just pulls out the > code and displays a message. If you need better responsiveness than that, > you can open a JIRA enhancement request and w can try make that method > available for overriding such that you could implement custom behavior on > just that method. > > So essentially (and I'm saying this without looking), we'd set it up so > that you can have the thing that translates errors return specific events > and you can use the webflow to redirect to the appropriate views based on > the event name. Not sure if it would work or how much effort it is to > update the code for this, but please put in a request and Ill take a look at > it ASAP (I'm going to allocate some time later anyway to work on open CAS > issues). > > Thanks > -Scott > > >> >> >> First, I would really like to not modify any of the cas-server-core code. >> I >> guess I could basically write my own classes that do the same things as >> the >> FastBindLdapAuthenticationHandler & AuthenticatedLdapContextSource but >> that >> keeps the NamingException around rather than eating it, but this doesn't >> really sound right to me. >> >> Second, I would really like to somehow just hook into the spring webflow >> and >> insert my code to check the NamingException and redirect to the correct >> page >> based on it. >> >> I hope this makes sense; I am just looking to see what the best way to >> accomplish this might be. >> -- >> View this message in context: >> http://www.nabble.com/Hook-into-LDAP-Errors-tp19465040p19465040.html >> Sent from the CAS Users mailing list archive at Nabble.com. >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
