Nov 15th, 2012, 08:22 AM
CAS - where is the right place and when is the right time to let user change password
I use Spring Security 3.1 and CAS 3.4.9. Here is my problem:
User authenticates on CAS. When user's password expires, I set UserDetails.setCredentialsNonExpired(false) in my implementation of UserDetailsService. It "indicates whether the user's credentials (password) has expired". Then Spring Security clears SecurityContext, saves exception to session and redirects user's browser to defaultFailureUrl. Every other request forces user to reauthenticate on CAS. JASIG implementation of CAS doesn't let user change password. User authenticates on CAS ...
What am I doing wrong? What is best practice?
Nov 17th, 2012, 05:29 AM
You can somehow handle password expiration on CAS server side leveraging on your LDAP authentication, it's called the LPPE feature : https://wiki.jasig.org/pages/viewpag...ageId=26149328. It may help you...
Nov 27th, 2012, 08:44 AM
Thank you very much Jérôme. LPPE feature was introduced in 3.5, but it still seems to be quite buggy. Maybe CAS password manager is better option.
Nov 27th, 2012, 10:23 AM
The LPPE feature was introduced in 3.5.0 and some improvments have been done on 3.5.1 : did you try this last one ?
Nov 28th, 2012, 03:38 AM
I haven't tried it yet. I just have observed 10 Outstanding LPPE JIRA issues from link you provided. The most appreciated feature for me is LPPE - change password workflow. From there I was navigated to the CAS password manager I've mentioned above. But both solutions are based on LDAP authentication handler while I need proven solution for database authentication handler.
Last edited by harasta; Nov 28th, 2012 at 03:45 AM.
Tags for this Thread