About Disabling to

[Y G]

Hello everyone, 

After upgrading to 7.3.0 (from 6.x) i see that users with weak password are getting HTTP 500 with message "Detected weak password for user USERNAME " on rest responses. And for the web ui side, i see that they're forced to change their passwords. Users can get their passwords changed regularly, so with and not to cut off these users' operations in mind, i'am searching for a better solution to disable this feature. 

When checking out the source code, i see that this behaviour consists of auto-registration of PasswordStrengthAuthenticationPostProcessor, and set up when this configuration exists:

cas.authn.pm.core.password-policy-pattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[$@$!%*?&])[A-Za-z\d$@$!%*?&]{8,10}

Is there another way to configure this behaviour other than this: 

/**
* By default, CAS checks if given password is weak when authenticating a user. This check is
* enabled by default when a regex value given to this config:
* `cas.authn.pm.core.password-policy-pattern`. It's defined in:
* {@link PasswordManagementWebflowConfiguration.PasswordManagementPolicyConfiguration#passwordStrengthAuthenticationPostProcessor}
* and configured in:
* {@link PasswordManagementWebflowConfiguration.PasswordManagementPolicyConfiguration#passwordManagementAuthenticationExecutionPlanConfigurer}
*
* So in order to disable this checks when authenticating users,
* i've overridden the bean like this:
*/
@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
@ConditionalOnMissingBean(name = "passwordStrengthAuthenticationPostProcessor")
public AuthenticationPostProcessor passwordStrengthAuthenticationPostProcessor() {
// No-op post-processor
return AuthenticationPostProcessor.none();
}

I think there should be another configuration that enables/disables this post processor, other than the  password-policy-pattern which is in-tandem with password management's reset functionality.

Thank you and have a nice day.

YG

[Dmitriy Kopylenko]

It's the only way currently - to re-define the bean with no-op impl, as the core config is tightly coupled to the cas.authn.pm.core.password-policy-pattern property condition: https://github.com/apereo/cas/blob/4fecb5ab2aca9d76a60144925b686001d3ac5cbc/support/cas-server-support-pm-webflow/src/main/java/org/apereo/cas/config/PasswordManagementWebflowConfiguration.java#L434

D.

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2ecc0260-e0bb-418b-983e-fc6a3ef62201n%40apereo.org.