Security concern on using TGT generation rest request
39 views
Skip to first unread message
Y G
Nov 19, 2025, 1:59:23 PMNov 19
to CAS Community
Hello everybody,
To make sure not to leak any usernames existing in the system in case of a brute forcing to the TGT generation endpoint, I'm looking for a way to make sure same response is returned when generating TGT with:
- a user that is not found on authentication sources
- a user that his/her password is incorrect
Currently, i see that you can customize the error messages with bundle messages like this:
authenticationFailure.AccountNotFoundException=Credentials are rejected/invalid and authentication attempt has failed.
authenticationFailure.FailedLoginException=Credentials are rejected/invalid and authentication attempt has failed.
authenticationFailure.FailedLoginException=Credentials are rejected/invalid and authentication attempt has failed.
but even if i set same values in them, because of the exception message is shown to the response(prepared in here), my case can not be achieved and i see this happenning:
{
"@class" : "java.util.HashMap",
"authentication_exceptions" : [ "java.util.ArrayList", [ "Password does not match value on record.:Credentials are rejected/invalid and authentication attempt has failed." ] ]
}
{
"@class" : "java.util.HashMap",
"authentication_exceptions" : [ "java.util.ArrayList", [ "USERNAME not found with SQL query:Credentials are rejected/invalid and authentication attempt has failed." ] ]
}
"@class" : "java.util.HashMap",
"authentication_exceptions" : [ "java.util.ArrayList", [ "Password does not match value on record.:Credentials are rejected/invalid and authentication attempt has failed." ] ]
}
{
"@class" : "java.util.HashMap",
"authentication_exceptions" : [ "java.util.ArrayList", [ "USERNAME not found with SQL query:Credentials are rejected/invalid and authentication attempt has failed." ] ]
}
you can guess which is invalid username or password.
So my question is, is there an easy way for me to not display exception messages in the response texts? Currently, i'm trying to override the method createTicketGrantingTicket
and override the bean with the overridden one, but it's not written as overridable in here, so I went to the lengths of using a SmartInitializingSingleton(a Spring bean lifecycle callback) and replacing the post mapping using requestMappingHandlerMapping.
Any ideas would be appreciated.
Have a nice day,
YG
Ray Bon
Nov 19, 2025, 2:26:43 PMNov 19
to cas-...@apereo.org
If you want to override that method, you can modify the class, keeping the package and class name.
The war overlay will replace the one provided in cas with yours.
Ray
P.S. Remember to check for changes when you upgrade.
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Y G <yusuf....@gmail.com>
Sent: November 19, 2025 08:09
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Security concern on using TGT generation rest request
Sent: November 19, 2025 08:09
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Security concern on using TGT generation rest request
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ffb6582-0487-4142-a993-395689c16d66n%40apereo.org.
Y G
Nov 19, 2025, 3:37:18 PMNov 19
to CAS Community, Ray Bon
Hello again,
Thank you for the reply,
With just overlaying the org.apereo.cas.support.rest.resources.RestResourceUtils class and changing the mapExceptionToMessage method not using the exception message, i was able to do a quick POC and could remove it and make it uniform.
On my local,
running the project via java .... -jar build/libs/cas.war and testing the endpoint responses is just like what i wanted, but it did not work when i tried the project with gradle bootRun. After editing the springboot.gradle file bootRun task like below(commenting the original classpath and prioritizing the runtimeClasspath), it worked with that too
...
bootRun {
// original config from CAS Initializr
// classpath = configurations.bootRunConfig + sourceSets.main.compileClasspath + sourceSets.main.runtimeClasspath
// for the overlay classes to work with this gradle task.
// You can drop compileClasspath — runtimeClasspath already covers it.
classpath = sourceSets.main.runtimeClasspath + configurations.bootRunConfig
bootRun {
// original config from CAS Initializr
// classpath = configurations.bootRunConfig + sourceSets.main.compileClasspath + sourceSets.main.runtimeClasspath
// for the overlay classes to work with this gradle task.
// You can drop compileClasspath — runtimeClasspath already covers it.
classpath = sourceSets.main.runtimeClasspath + configurations.bootRunConfig
...
Now i see this result on both of the cases:
{
"@class": "java.util.HashMap",
"authentication_exceptions": [
"java.util.ArrayList",
[
"@class": "java.util.HashMap",
"authentication_exceptions": [
"java.util.ArrayList",
[
"Credentials are rejected/invalid and authentication attempt has failed."
]
]
}
]
]
}
Now i will not need to make surgical changes using SmartInitializingSingleton (using overlays for customizations is always the better answer, what was i thinking :) )
Thank you and have a nice day.
19 Kasım 2025 Çarşamba tarihinde saat 22:26:43 UTC+3 itibarıyla Ray Bon şunları yazdı:
Reply all
Reply to author
Forward
0 new messages