Password expiration warning fails with error, goes back to login page (CAS 5.2.7)
139 views
Skip to first unread message
cur...@newschool.edu
Jan 28, 2019, 3:29:35 PM1/28/19
to CAS Community
We're wanting to enable the LPPE password expiration warning (your password expires in N days) in CAS 5.2.7. I've set the properties:
cas.authn.ldap[0].passwordPolicy.enabled: truecas.authn.ldap[0].passwordPolicy.type: ADcas.authn.ldap[0].passwordPolicy.strategy: DEFAULTcas.authn.ldap[0].passwordPolicy.warningDays: 5cas.authn.ldap[0].passwordPolicy.warnAll: true
and sure enough, when I try to log in, I get the login page followed by the casLoginMessageView.html page. But when I press the "CONTINUE" button on that page, which should take me to the application, instead I end up back at the login screen.
In the log, I see:
AUTHENTICATION_EVENT_TRIGGEREDAUTHENTICATION_SUCCESSTICKET_GRANTING_TICKET_CREATED
but then...
2019-01-28 11:04:43,223 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <Ticket-granting ticket found in the context is [TGT-20-*********************************************************YC-v-3MOV4-casdev-srv01-lid]>2019-01-28 11:04:43,239 ERROR [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Cannot read/parse JSON [{"@class":"org.apereo.cas.ticket.TicketGrantingTicketImpl","@id":1,"id":"TGT-20-******************4OIdqEs6hCxUOo1V9oWRBct-...] to deserialize into type [interface org.apereo.cas.ticket.TicketGrantingTicket]. This may be caused in the absence of a configuration/support module that knows how to interpret the JSON fragment, specially if the fragment describes a CAS registered service definition. Internal parsing error is [Cannot construct instance of `org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor` (no Creators, like default construct, exist): cannot deserialize from Object value (no delegate- or property-based Creator)at [Source: (String)"{"@class":"org.apereo.cas.ticket.TicketGrantingTicketImpl","@id":1,"id":"TGT-20-******************4OIdqEs6hCxUOo1V9oWRBct-...daM15STZ9bFmYC-v-3MOV4-casdev-srv01-lid","authentication":{"@class":"org.apereo.cas.authentication.DefaultAuthentication","authenticationDate":1548691399.597,"credentials":["java.util.ArrayList",[{"@class":"org.apereo.cas.authentication.BasicCredentialMetaData","id":"curryd","credentialClass":"org.apereo.cas.authentication.UsernamePasswordCredential"}]],"principal":{"@clas"[truncated 4973 chars]; line: 1, column: 4973] (through reference chain: org.apereo.cas.ticket.TicketGrantingTicketImpl["authentication"]->org.apereo.cas.authentication.DefaultAuthentication["successes"]->java.util.HashMap["Active Directory (TNS)"]->org.apereo.cas.authentication.DefaultHandlerResult["warnings"]->java.util.ArrayList[0])]>2019-01-28 11:04:43,239 ERROR [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Failed fetching [TGT-20-*********************************************************YC-v-3MOV4-casdev-srv01-lid]: [java.lang.RuntimeException: org.apereo.cas.ticket.TicketGrantingTicketImpl]>2019-01-28 11:04:43,240 DEBUG [org.apereo.cas.web.flow.GenerateServiceTicketAction] - <CAS has determined ticket-granting ticket [TGT-20-*********************************************************YC-v-3MOV4-casdev-srv01-lid] is invalid and must be destroyed>2019-01-28 11:04:43,243 ERROR [org.apereo.cas.util.serialization.AbstractJacksonBackedStringSerializer] - <Cannot read/parse JSON [{"@class":"org.apereo.cas.ticket.TicketGrantingTicketImpl","@id":1,"id":"TGT-20-******************4OIdqEs6hCxUOo1V9oWRBct-...] to deserialize into type [interface org.apereo.cas.ticket.TicketGrantingTicket]. This may be caused in the absence of a configuration/support module that knows how to interpret the JSON fragment, specially if the fragment describes a CAS registered service definition. Internal parsing error is [Cannot construct instance of `org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor` (no Creators, like default construct, exist): cannot deserialize from Object value (no delegate- or property-based Creator)at [Source: (String)"{"@class":"org.apereo.cas.ticket.TicketGrantingTicketImpl","@id":1,"id":"TGT-20-******************4OIdqEs6hCxUOo1V9oWRBct-...daM15STZ9bFmYC-v-3MOV4-casdev-srv01-lid","authentication":{"@class":"org.apereo.cas.authentication.DefaultAuthentication","authenticationDate":1548691399.597,"credentials":["java.util.ArrayList",[{"@class":"org.apereo.cas.authentication.BasicCredentialMetaData","id":"curryd","credentialClass":"org.apereo.cas.authentication.UsernamePasswordCredential"}]],"principal":{"@clas"[truncated 4973 chars]; line: 1, column: 4973] (through reference chain: org.apereo.cas.ticket.TicketGrantingTicketImpl["authentication"]->org.apereo.cas.authentication.DefaultAuthentication["successes"]->java.util.HashMap["Active Directory (TNS)"]->org.apereo.cas.authentication.DefaultHandlerResult["warnings"]->java.util.ArrayList[0])]>2019-01-28 11:04:43,243 ERROR [org.apereo.cas.ticket.registry.MongoDbTicketRegistry] - <Failed fetching [TGT-20-*********************************************************YC-v-3MOV4-casdev-srv01-lid]: [java.lang.RuntimeException: org.apereo.cas.ticket.TicketGrantingTicketImpl]>
followed by
TICKET_GRANTING_TICKET_DESTROYED
Bummer. :-)
I think the problem is described in the second line above: "Cannot construct instance of `org.apereo.cas.authentication.support.password.PasswordExpiringWarningMessageDescriptor` (no Creators, like default construct, exist): cannot deserialize from Object value (no delegate- or property-based Creator)".
But I have no idea what that message is actually telling me, or why I'm getting it. I do not have any custom code like home-grown authenticators, etc. I do have a custom user interface theme (Thymeleaf templates), but I don't see any significant differences there between mine and the stock theme. Am I missing some component in my pom.xml that brings this in? The documentation doesn't mention needing one, but... Am I missing some property setting somewhere?
Any insights appreciated.
Thanks,
--Dave
P.S. - Full log attached.
Mickaël
Jul 13, 2021, 7:51:58 AM7/13/21
to CAS Community, cur...@newschool.edu
Hi all and Dave,
I'm trying to use the same attributes with my OpenLDAP :
cas.authn.ldap[0].passwordPolicy.account-state-handling-enabled=true
cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true
cas.authn.ldap[0].passwordPolicy.enable=true
cas.authn.ldap[0].passwordPolicy.login-failures=5
cas.authn.ldap[0].passwordPolicy.policy-attributes.account-locked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.warn-all=true
cas.authn.ldap[0].passwordPolicy.warning-attribute-name=gestion
cas.authn.ldap[0].passwordPolicy.warning-attribute-value=1
cas.authn.ldap[0].passwordPolicy.warning-days=30
cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true
cas.authn.ldap[0].passwordPolicy.enable=true
cas.authn.ldap[0].passwordPolicy.login-failures=5
cas.authn.ldap[0].passwordPolicy.policy-attributes.account-locked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.warn-all=true
cas.authn.ldap[0].passwordPolicy.warning-attribute-name=gestion
cas.authn.ldap[0].passwordPolicy.warning-attribute-value=1
cas.authn.ldap[0].passwordPolicy.warning-days=30
At my first login, the CAS does not check the attribute "gestion" in my LDAP.
Did I forget or something is missing ?
Thanks, Mickaël
Reply all
Reply to author
Forward
0 new messages