CAS 5.1 Password expired issues

[Pavlos Drandakis]

Hello all,

I am trying to setup CAS 5.1 (using the maven overlay method) to
authenticate users against an OpenLDAP server. If user's password is not
expired, everything works as expected. But, when user's password expires,
all I get is the "Invalid credentials" error in login page instead of the
password expired view.

This is what I have in cas.properties:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=dc=example,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com
cas.authn.ldap[0].bindCredential=secretpass

cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true

Am I missing something?
Thanks, in advance
Pavlos

P.S.: Relevant log entries:
2017-06-07 15:20:22,463 DEBUG
[org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying
password policy to
[[org.ldaptive.auth.AuthenticationResponse@1608121171::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE,
resolvedDn=uid=auser,ou=People,dc=example,dc=com,
ldapEntry=[dn=uid=auser,ou=People,dc=example,dc=com[]],
accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1354577001::accountWarnings=null,
accountErrors=[PASSWORD_EXPIRED]], result=false,
resultCode=INVALID_CREDENTIALS,
message=javax.naming.AuthenticationException: [LDAP: error code 49 -
Invalid Credentials],
controls=[[org.ldaptive.control.PasswordPolicyControl@655105816::criticality=false,
timeBeforeExpiration=0, graceAuthNsRemaining=0,
error=PASSWORD_EXPIRED]]]]>
2017-06-07 15:20:22,464 DEBUG
[org.apereo.cas.authentication.support.DefaultAccountStateHandler] -
<Handling error [PASSWORD_EXPIRED]>
2017-06-07 15:20:22,465 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] failed authenticating [auser]>
2017-06-07 15:20:22,465 DEBUG
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<[LdapAuthenticationHandler] exception details: [null]>
2017-06-07 15:20:22,468 WARN
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
<Authentication has failed. Credentials may be incorrect or CAS cannot
find authentication handler that supports [auser] of type
[UsernamePasswordCredential], which suggests a configuration problem.>

[Ben Howell-Thomas]

Have a look at : 

cas.authn.pm.enabled=true

which I think you need to set. 

Also login-webflow.xml has a handleAuthenticationFailure step which handles all the different exceptions, including CredentialExpiredException.

 

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118d6.squirrel%40webmail01.edunet.gr.

This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). 

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.

Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN.  Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

[Pavlos Drandakis]

Hi Ben,

Thanks for your suggestion, but I have already tried it (and tried it once again, now). The problem still exists. This property, IIUC, only enables in-place password management and has nothing to do with the missing message/view/flow.

In CAS v5.0.x the "same" configuration with the same OpenLDAP backend worked as expected...

handleAuthenticationFailure, as you said, should handle CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD (casExpireedPassView) but I don't see that happening. Perhaps, when reaching that point, CredentialExpiredException is "lost" and a generic AuthenticationException is thrown...

Pavlos

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pvJ6UDtkeEzwryQbr%3DnDmT1Ca78vEq3b6qX1Uq5B%2BD8Gg%40mail.gmail.com.

[Pavlos Drandakis]

Hi Ben,

Thanks for your suggestion, but I have already tried it (and tried it once
again, now). The problem still exists. This property, IIUC, only enables
in-place password management and has nothing to do with the missing
message/view/flow.

In CAS v5.0.x the "same" configuration with the same OpenLDAP backend
worked as expected...

handleAuthenticationFailure, as you said, should handle
CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD
(casExpireedPassView) but I don't see that happening. Perhaps, when
reaching that point, CredentialExpiredException is "lost" and a generic
AuthenticationException is thrown...

Pavlos

>> email to cas-user+u...@apereo.org.

>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118
>> d6.squirrel%40webmail01.edunet.gr.
>>
>

> --

> This email is sent on behalf of Northgate Public Services (UK) Limited and
> its associated companies including Rave Technologies (India) Pvt Limited
> (together "Northgate Public Services") and is strictly confidential and
> intended solely for the addressee(s).
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact
> Northgate Public Services immediately on +44(0)1908 264500 quoting the
> name
> of the sender and the addressee then delete it from your system.
> Northgate Public Services has taken reasonable precautions to ensure that
> no viruses are contained in this email, but does not accept any
> responsibility once this email has been transmitted. You should scan
> attachments (if any) for viruses.
>
> Northgate Public Services (UK) Limited, registered in England and Wales
> under number 00968498 with a registered address of Peoplebuilding 2,
> Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire,
> HP2
> 4NN. Rave Technologies (India) Pvt Limited, registered in India under
> number 117068 with a registered address of 2nd Floor, Ballard House, Adi
> Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
>

> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to cas-user+u...@apereo.org.

> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pvJ6UDtkeEzwryQbr%3DnDmT1Ca78vEq3b6qX1Uq5B%2BD8Gg%40mail.gmail.com.
>


--
---------------------------------------------

If it ain't cyrusmaster, it ain't nothing !!!

---------------------------------------------

[Ben Howell-Thomas]

This bug https://github.com/apereo/cas/issues/2322 previously could stop the expired password being handled but it's fixed in 5.1 RC2.

>> email to cas-user+unsubscribe@apereo.org.

> email to cas-user+unsubscribe@apereo.org.

> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pvJ6UDtkeEzwryQbr%3DnDmT1Ca78vEq3b6qX1Uq5B%2BD8Gg%40mail.gmail.com.
>


--
---------------------------------------------

If it ain't cyrusmaster, it ain't nothing !!!

---------------------------------------------

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0054ab587e26c9a8aa42d13db13755d1.squirrel%40webmail01.edunet.gr.

[Pavlos Drandakis]

Hi Ben,

thanks for your answer, but that bug (which is already resolved, as you
said) was for AD and for version 5.1 RC1. The problem that I have is for
Generic (OpenLDAP) and the official CAS 5.1.0 version (I had the same
issue also with 5.1 RC4).

Is there anyone that has/could share a working configuration for CAS 5.1.0
- OpenLDAP - LPPE support?

Thanks, in advance,
Pavlos

>> >> email to cas-user+u...@apereo.org.

>> > email to cas-user+u...@apereo.org.

>> > To view this discussion on the web visit
>> > https://groups.google.com/a/apereo.org/d/msgid/cas-user/

>> CAD0p8pvJ6UDtkeEzwryQbr%3DnDmT1Ca78vEq3b6qX1Uq5B%2BD8Gg%40mail.gmail.com.

>> >
>>
>>
>> --
>> ---------------------------------------------
>>
>> If it ain't cyrusmaster, it ain't nothing !!!
>>
>> ---------------------------------------------
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas

>> - CAS mailing list guidelines: https://apereo.github.io/cas/
>> Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google
>> Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>> an

>> email to cas-user+u...@apereo.org.

>> To view this discussion on the web visit https://groups.google.com/a/

>> apereo.org/d/msgid/cas-user/0054ab587e26c9a8aa42d13db13755
>> d1.squirrel%40webmail01.edunet.gr.

> email to cas-user+u...@apereo.org.

> To view this discussion on the web visit

> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pupsefZpWwkP2F_FVsWM5Y-RPd9xruMJDKAgmCrRfKJYQ%40mail.gmail.com.

[Ludovic Senecaux]

Hello,

I have exactly the same problem for locked accounts (pwdAccountLockedTime) or accounts whose password has been reset (pwdReset).
Accounts whose password will soon expire works correctly and the alert is given by the cas.

[Ben Howell-Thomas]

If you get to the bottom of it, please share the solution.  I'll be working on upgrading to 5.1 in a few weeks.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eddcf474-885a-4779-ac4f-0e3f9861230d%40apereo.org.

[Ludovic Senecaux]

The logs provide the right information from the LDAP directory, but the CAS does not seem to return the correct JSP page.

2017-06-08 14:41:32,478 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Handling error [ACCOUNT_LOCKED]>
2017-06-08 14:41:32,478 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] failed authenticating [foo]>
2017-06-08 14:41:32,479 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [null]>
2017-06-08 14:41:32,479 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [foo] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2017-06-08 14:41:32,480 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: foo
WHAT: Supplied credentials: [foo]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Jun 08 14:41:32 CEST 2017
CLIENT IP ADDRESS: 10.199.2.7
SERVER IP ADDRESS: 192.168.108.100
=============================================================

2017-06-08 15:15:35,859 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Handling policy based on pre-defined attributes>
2017-06-08 15:15:35,859 DEBUG [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - <Handling error [CHANGE_AFTER_RESET]>
2017-06-08 15:15:35,860 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] failed authenticating [foo]>
2017-06-08 15:15:35,860 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[LdapAuthenticationHandler] exception details: [null]>
2017-06-08 15:15:35,861 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [foo] of type [UsernamePasswordCredential], which suggests a configuration problem.>
2017-06-08 15:15:35,862 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: foo
WHAT: Supplied credentials: [foo]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Jun 08 15:15:35 CEST 2017
CLIENT IP ADDRESS: 10.199.2.7
SERVER IP ADDRESS: unknown
=============================================================

[Pavlos Drandakis]

Eventually, everything seems to work ok, after adding in login-webflow.xml the following (which is present in CAS v5.0.x but not in CAS v5.1.0):

    <action-state id="handleAuthenticationFailure">
        <evaluate expression="authenticationExceptionHandler.handle(currentEvent.attributes.error, messageContext)"/>
        <transition on="AccountDisabledException" to="casAccountDisabledView"/>
        <transition on="AccountLockedException" to="casAccountLockedView"/>
        <transition on="CredentialExpiredException" to="casExpiredPassView"/>
        <transition on="AccountPasswordMustChangeException" to="casMustChangePassView"/>
        <transition on="InvalidLoginLocationException" to="casBadWorkstationView"/>
        <transition on="InvalidLoginTimeException" to="casBadHoursView"/>
        <transition on="FailedLoginException" to="initializeLoginForm"/>
        <transition on="AccountNotFoundException" to="initializeLoginForm"/>
        <transition on="UnauthorizedServiceForPrincipalException" to="initializeLoginForm" />
        <transition on="UnsatisfiedAuthenticationPolicyException" to="initializeLoginForm"/>
        <transition on="UnauthorizedAuthenticationException" to="casAuthenticationBlockedView"/>
        <transition to="initializeLoginForm"/>
    </action-state>

I don't know if it is the right way, but it seems to work...

Pavlos
P.S.: In order to show expiredPassView messages I had to
a) copy fragments/pwdupdateform.html to fragments/pwdexpiredform.html,
b) change the relevant th messages to screen.expiredpass.heading and screen.expiredpass.message
c) change in casExpiredPassView.html th:replace="fragments/pwdupdateform" to th:replace="fragments/pwdexpiredform"

[Ludovic Senecaux]

It works when I add "pwdAccountLockedTime" attribute for a user.
But when I add "pwdReset = TRUE", I got

2

017-06-20 08:56:34,445 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Exception thrown in st
ate 'handleAuthenticationFailure' of flow 'login']>
org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'handleAuthenticationFailure' of flow 'login'
...
Caused by: java.lang.IllegalArgumentException: Cannot find state with id 'casMustChangePassView' in flow 'login' -- Known state ids are 'array<String>['initialAuthenticationRequestValidationCheck', 'ticketGrantingTicketCheck', 'initializeLoginForm', 'viewLoginForm', 'realSubmit', 'showAuthenticationWarningMessages', 'handleAuthenticationFailure', 'sendTicketGrantingTicket', 'generateServiceTicket', 'viewRedirectToUnauthorizedUrlView', 'viewServiceErrorView', 'redirectView', 'postView', 'viewGenericLoginSuccess', 'showWarningView', 'finalizeWarning', 'serviceUnauthorizedCheck', 'serviceCheck', 'warn', 'gatewayRequestCheck', 'hasServiceCheck', 'renewRequestCheck', 'terminateSession', 'gatewayServicesManagementCheck', 'serviceAuthorizationCheck', 'redirect', 'mfa-gauth', 'casAuthenticationBlockedView', 'casBadWorkstationView', 'casBadHoursView', 'casAccountLockedView', 'casAccountDisabledView', 'casPasswordUpdateSuccessView', 'passwordChangeAction', 'casExpiredPassView', 'casResetPasswordSendInstructionsView', 'sendInstructions', 'casResetPasswordSentInstructionsView']'

Have you got an idea ?

[Pavlos Drandakis]

Hi Ludovic,

it seems that adding the following in login-webflow.xml, solves the problem:

<end-state id="casMustChangePassView" view="casMustChangePassView"/>

Cheers,
Pavlos

[Ludovic Senecaux]

Thanks Pavlos, it works !

Have you found any workarouds for :

1/ the use of pwdGraceAuthNLimit
2/ customize URL for password update (I tried to set "#{screen.mustchangepass.message(${cas.authn.pm.changeUrl})}" in pwdupdateform.html, but unsuccessfully)

Regards,

[Pavlos Drandakis]

On 21/06/2017 12:10 μμ, Ludovic Senecaux wrote:
> Thanks Pavlos, it works !

Glad to hear it :-)

>
> Have you found any workarouds for :
>
> 1/ the use of pwdGraceAuthNLimit

When pwdGraceAuthNLimit was enabled, I was keep getting NPE in logs and
nothing in login form. After this change:
https://github.com/apereo/cas/pull/2697 everything seems to work, as
expected (User is presented with the password.expiration.loginsRemain
message )

> 2/ customize URL for password update (I tried to set
> "#{screen.mustchangepass.message(${cas.authn.pm.changeUrl})}" in
> pwdupdateform.html, but unsuccessfully)

I am not sure that I understand your question... Isn't editing
screen.mustchangepass.message in messages.properties what you need?
>
> Regards,
Regards,
Pavlos

[Ludovic Senecaux]

I want to display a correct URL (defined in cas.properties) to users without modify messages.properties.

I put a parameter to #{screen.mustchangepass.message} inn pwdupdatepass.html file that override "{0}" variable in messages_XX.properties like it is explained here : http://www.thymeleaf.org/doc/tutorials/2.1/usingthymeleaf.html#variables

Regards,

[Pavlos Drandakis]

Ok, now I understand what you are trying to do, but I don't think that you can do it without editing messages{_xx}.properties. screen.mustchangepass.message doesn't have a {0} in it, so there is nothing to replace... The url is hard coded in the message.

Regards,
Pavlos

[Ludovic Senecaux]

There is a {0} in messages_XX.properties but not in messages.properties

[Pavlos Drandakis]

Yes, you are right, I 've only checked messages.properties...

I have no thymeleaf experience and surely someone else could help you more. Nevertheless I 've found that, perhaps, the following, is what you are looking for: "#{screen.mustchangepass.message(${@environment.getProperty('cas.authn.pm.changeUrl')})}"

I have no idea if this is the "right" way to do it...

Regards,
Pavlos

On 22/06/2017 01:25 μμ, Ludovic Senecaux wrote:

There is a {0} in messages_XX.properties but not in messages.properties

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/69f33989-931f-4b0b-9b51-82488b733373%40apereo.org.

[Ben Howell-Thomas]

Regarding :

Eventually, everything seems to work ok, after adding in login-webflow.xml the following (which is present in CAS v5.0.x but not in CAS v5.1.0):
    <action-state id="handleAuthenticationFailure">
        <evaluate expression="authenticationExceptionHandler.handle(currentEvent.attributes.error, messageContext)"/>
        <transition on="AccountDisabledException" to="casAccountDisabledView"/>
        <transition on="AccountLockedException" to="casAccountLockedView"/>
        <transition on="CredentialExpiredException" to="casExpiredPassView"/>
        <transition on="AccountPasswordMustChangeException" to="casMustChangePassView"/>
        <transition on="InvalidLoginLocationException" to="casBadWorkstationView"/>
        <transition on="InvalidLoginTimeException" to="casBadHoursView"/>
        <transition on="FailedLoginException" to="initializeLoginForm"/>
        <transition on="AccountNotFoundException" to="initializeLoginForm"/>
        <transition on="UnauthorizedServiceForPrincipalException" to="initializeLoginForm" />
        <transition on="UnsatisfiedAuthenticationPolicyException" to="initializeLoginForm"/>
        <transition on="UnauthorizedAuthenticationException" to="casAuthenticationBlockedView"/>
        <transition to="initializeLoginForm"/>
    </action-state>
I don't know if it is the right way, but it seems to work...

Have you reported it as a bug or anything already?

It looks like the above states are being set up by DefaultWebflowConfigurer.createHandleAuthenticationFailureAction() but they aren't having any effect.

(Also, thanks for the workaround :)

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr.

[Pavlos Drandakis]

Hi Ben,

No, I hadn't, but I just did it: https://github.com/apereo/cas/issues/2703

Cheers,
Pavlos

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8puoLs5MMy4nbxsu83bZKh3CJS0Vxq_Pn%3DL3MAnkc3oNyg%40mail.gmail.com.

[Ludovic Senecaux]

I replace fixed URL into messages.properties by "{0}", and add the code below.
That works !

[Pavlos Drandakis]

Hello all,

just for future reference...

PPolicy issues are now fixed in v5.1.1. There is no need to add anything in the login-webflow.xml...

Pavlos

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e567d093-b52c-79ce-7a69-a91df5ad84ba%40noc.edunet.gr.

[Ben Howell-Thomas]

Thanks again Pavlos :)

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/619c16de-8be6-8e01-990e-4af6fd16eccf%40noc.edunet.gr.

This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). 

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.

Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN.  Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8puoLs5MMy4nbxsu83bZKh3CJS0Vxq_Pn%3DL3MAnkc3oNyg%40mail.gmail.com.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e567d093-b52c-79ce-7a69-a91df5ad84ba%40noc.edunet.gr.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbb8beba-5498-0ed4-3f37-b360c7f5aadd%40noc.edunet.gr.