I am attempting to implement a minimum character rotation password reset policy with CAS 6.2.7 and Thymeleaf. Since password hashing is a thing, this check must be conducted before the password request is sent to the server. As a result, I need a current password field as part of the password reset view.
The model used for this is the PasswordChangeRequest in the cas-server-support-pm-core module of CAS. This model has a password field and a confirmedPassword field. I need to either modify this model to include a currentPassword field, or somehow link my own model to the form and send them both together.
I have tried both of these options with the help of the guidance found at https://github.com/apereo/cas/blob/master/docs/cas-server-documentation/webflow/Webflow-Customization-Extensions.md. I'm not very well versed in Spring WebFlow and suspect that I am not even close.
Is there any way to accomplish this? If so, how?
The component that ultimately attempts to change the password is an implementation of PasswordManagementService that does this:
boolean change(Credential credential, PasswordChangeRequest pcr)
throws InvalidPasswordException {
...
}
If you design your own custom service, you can implement the change() method, and there, you have access to the original password using the credential that would then be casted down to UsernamePasswordCredential.
A custom implementation usually has the following outline:
@Configuration("MyPasswordConfiguration")
@EnableConfigurationProperties(CasConfigurationProperties.class)
public class MyPasswordConfiguration {
@Bean
public PasswordManagementService passwordChangeService() {
...
}
}