Handling invalid eventIds

[Joseph Cauthen]

OK, so I'm tearing my hair out a little bit. I have been stuck on this problem for about two months.

CAS is not configured out of the box to handle invalid eventIds. When it receives an invalid eventId, it throws a NoMatchingTransitionException. This then returns a 500 HTTP status code. This is picked up by vulnerability scanners. I need it to return a 400 instead.

I've used CAS for years. In CAS 3, I could set up a global transition at the end of the login-flow.xml and logout-flow.xml. An example is in the link below.

https://stackoverflow.com/questions/18432059/invalid-eventid-in-spring-webflow

We've recently switched to CAS 6. The webflows have been implemented in Java instead of XML. I have been unable to find how to achieve the same result in the Java configuration. The closest I have found is this link.

https://fawnoos.com/2018/06/19/cas53webflow-extensions/

However, I need a global transition and can't find how to create one. I also have no idea how this all fits into the larger webflow or where to properly configure the classes that I create or how to set the precedence.

In the XML implementation, this all obvious but I have never been so confused in my life.

Does anyone have any ideas on how to create a global transition that handles NoMatchingTransitionExceptions? Does anyone have some solid documentation on this?

[Joseph Cauthen]

Alternate question: Is there an alternate way to force the server to send a different HTTP status code when a NoMatchingTransitionException is thrown?

I have tried to implement a ControllerAdvice without success. I'm assuming it's because the exception is from WebFlow and not a controller? Should this be possible?