Handling Invalid _eventId in CAS 6.X

Question

When Spring Webflow receives an invalid eventId it throws a NoMatchingTransitionException. This, in turn, throws a 500 error which is detected by vulnerability scanners. CAS 6.X uses a custom webflow to implement it's login functionality. According the the link below under the "Live Happily" heading, the CAS documentation seems to frown upon altering the flow.

https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization-Extensions.html

I need to be able to handle these errors and throw another status, such as a 400 bad request. In previous versions of CAS, there was a login-webflow.xml file where transitions for invalid eventIds could be defined. I realize this is altering the flow, but seemed fairly safe and intuitive. It seems that this has been moved to a pure Java implementation. Is that correct? If there is a way to simply repeat this process with the new Java implementation, I have been unable to find the resources necessary to do so.

How can I handle these errors gracefully in the new CAS 6?

Answer 1

In previous versions of CAS, there was a login-webflow.xml file where transitions for invalid eventIds could be defined.

Judging by the very same link you shared, the same file appears to be available at: src/main/resources/webflow/login-webflow.xml

If you do not have this file in your build, you will need to pull it in your overlay at that path and address. For the version you shared, the original copy of the file is available at: https://github.com/apereo/cas/blob/6.1.x/webapp/cas-server-webapp-resources/src/main/resources/webflow/login/login-webflow.xml

It seems that this has been moved to a pure Java implementation. Is that correct?

Yes.

If there is a way to simply repeat this process with the new Java implementation, I have been unable to find the resources necessary to do so. How can I handle these errors gracefully in the new CAS 6?

It depends on what you mean by "simply".

• If you're familiar with Spring Webflow XML, you can alter the same XML file and have it do what you want. Typically, this involves adding global exception handlers that trigger into a new state that you would define. A simple google search turned this up:

<global-transitions>
    <transition on-exception="example.MyBusinessException" to="state3" />
</global-transitions>

• Alternatively, the same link you shared shows that a flow can be altered dynamically at runtime and this is the recommended approach since XML config will be removed eventually (and has been):

    @Override
    protected void doInitialize() throws Exception {
        final Flow flow = super.getLoginFlow();
        // Magic happens; Call 'super' to see what you have access to and alter the flow.
    }

Here, you can effectively do the same as you would in XML; create exception handlers for your particular type of error and have it navigate to a different state. The super class provides utility methods that let you create states, views, transitions, etc.

Something like this:

val h = new TransitionExecutingFlowExecutionExceptionHandler();
h.add(SomeException.class, "stateId");
flow.getExceptionHandlerSet().add(h);

Please see: https://fawnoos.com/2021/08/20/cas64-webflow-extensions/ (Note that the link here applies to CAS 6.4.x)