So what you are saying is, regardless of the password if the account has an expired status you are redirected to the expired-password screen?
This is strange. I don’t think account status can be determined without first fully authenticating the user. What is your authn source? Could you share your transitions configuration and the logs? - Misagh > On Apr 20, 2015, at 11:42 PM, Raymond Drew Walker <ray.wal...@nau.edu> wrote: > > All, > > Noticing interesting default behavior for logins with expired passwords, that > are also using incorrect passwords (neither expired or valid). The user is > still transitioned to the casExpiredPassView.url > > Is this expected behavior for users entering bad passwords? > > I suppose this behavior could allow for users attempting to scrape user > logins for expired users as part of a larger vector of attack (social, etc.) > > Is there a preferred method to correct this behavior as to not reveal the > existence of an account when an incorrect password is used? > > I have not checked this behavior for the password warning or other > “handleAuthenticationFailure” transitions. > -- > Raymond Walker > Software Systems Engineer StSp. > ITS Northern Arizona University > -- > You are currently subscribed to cas-user@lists.jasig.org as: > mmoay...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user