Announcement Announcement Module
No announcement yet.
CAS - where is the right place and when is the right time to let user change password Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS - where is the right place and when is the right time to let user change password


    I use Spring Security 3.1 and CAS 3.4.9. Here is my problem:

    User authenticates on CAS. When user's password expires, I set UserDetails.setCredentialsNonExpired(false) in my implementation of UserDetailsService. It "indicates whether the user's credentials (password) has expired". Then Spring Security clears SecurityContext, saves exception to session and redirects user's browser to defaultFailureUrl. Every other request forces user to reauthenticate on CAS. JASIG implementation of CAS doesn't let user change password. User authenticates on CAS ...

    What am I doing wrong? What is best practice?


  • #2

    You can somehow handle password expiration on CAS server side leveraging on your LDAP authentication, it's called the LPPE feature : It may help you...
    Best regards,


    • #3
      Thank you very much Jérôme. LPPE feature was introduced in 3.5, but it still seems to be quite buggy. Maybe CAS password manager is better option.


      • #4
        The LPPE feature was introduced in 3.5.0 and some improvments have been done on 3.5.1 : did you try this last one ?


        • #5
          I haven't tried it yet. I just have observed 10 Outstanding LPPE JIRA issues from link you provided. The most appreciated feature for me is LPPE - change password workflow. From there I was navigated to the CAS password manager I've mentioned above. But both solutions are based on LDAP authentication handler while I need proven solution for database authentication handler.
          Last edited by harasta; Nov 28th, 2012, 03:45 AM.