Merge branch 'master' of github.com:apereo/cas

mmoayyed · mmoayyed · commit 67dbf3b02412 · 2025-08-11T20:38:20.000+04:00
# Conflicts:
#	core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/http/HttpRequestUtils.java
#	support/cas-server-support-pm-webflow/src/test/java/org/apereo/cas/pm/web/flow/actions/PasswordChangeActionTests.java
#	support/cas-server-support-syncope-authentication/src/main/java/org/apereo/cas/syncope/pm/SyncopePasswordManagementService.java
diff --git a/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.js b/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.js
@@ -51,6 +51,12 @@ const cas = require("../../cas.js");
     await cas.goto(page, link);
     await cas.sleep(2000);
 
+    await cas.assertInnerText(page, "#content h2", "Answer Security Questions");
+
+    await cas.type(page, "#q0", "Rome", true);
+    await cas.pressEnter(page);
+    await cas.waitForNavigation(page);
+    await cas.sleep(2000);
     await cas.assertInnerText(page, "#pwdmain h3", `Hello, ${username}. You must change your password.`);
 
     newPassword = await cas.randomWord();
diff --git a/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.json b/ci/tests/puppeteer/scenarios/pm-reset-password-syncope/script.json
@@ -27,7 +27,6 @@
     "--cas.authn.pm.reset.mail.text=${url}",
     "--cas.authn.pm.reset.mail.subject=Reset",
     "--cas.authn.pm.reset.mail.attribute-name=mail",
-    "--cas.authn.pm.reset.security-questions-enabled=false",
 
     "--cas.authn.pm.syncope.basic-auth-username=admin",
     "--cas.authn.pm.syncope.basic-auth-password=password",
diff --git a/ci/tests/syncope/run-syncope-server.sh b/ci/tests/syncope/run-syncope-server.sh
@@ -261,6 +261,8 @@ for i in {0..4}; do
     "username": '\""syncopepasschange${suffix}\""',
     "password": "Sync0pe",
     "mustChangePassword": true,
+    "securityQuestion": "'"${SECURITY_QUESTION_KEY}"'",
+    "securityAnswer": "Rome",
     "plainAttrs": [
       {
         "schema": "email",
diff --git a/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/http/HttpRequestUtils.java b/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/http/HttpRequestUtils.java
@@ -52,13 +52,17 @@ public class HttpRequestUtils {
         result.setHeaders(response.getHeaders());
         result.setLocale(ObjectUtils.getIfNull(response.getLocale(), Locale.getDefault()));
         result.setVersion(ObjectUtils.getIfNull(response.getVersion(), HttpVersion.HTTP_1_1));
-        val output = new ByteArrayOutputStream();
-        if (response.getEntity() != null) {
-            response.getEntity().writeTo(output);
-            val contentTypeHeader = response.getFirstHeader(HttpHeaders.CONTENT_TYPE);
-            val contentType = contentTypeHeader != null ? contentTypeHeader.getValue() : ContentType.APPLICATION_JSON.getMimeType();
-            result.setEntity(new ByteArrayEntity(output.toByteArray(), ContentType.parseLenient(contentType)));
+
+        val entity = response.getEntity();
+        if (entity != null) {
+            try (val output = new ByteArrayOutputStream()) {
+                entity.writeTo(output);
+                val contentTypeHeader = response.getFirstHeader(HttpHeaders.CONTENT_TYPE);
+                val contentType = contentTypeHeader != null ? contentTypeHeader.getValue() : ContentType.APPLICATION_JSON.getMimeType();
+                result.setEntity(new ByteArrayEntity(output.toByteArray(), ContentType.parseLenient(contentType)));
+            }
         }
+
         return result;
     };
     
diff --git a/support/cas-server-support-syncope-authentication/src/main/java/org/apereo/cas/syncope/pm/SyncopePasswordManagementService.java b/support/cas-server-support-syncope-authentication/src/main/java/org/apereo/cas/syncope/pm/SyncopePasswordManagementService.java
@@ -19,6 +19,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Strings;
 import org.apache.hc.core5.http.HttpEntityContainer;
+import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.HttpStatus;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.springframework.http.HttpHeaders;
@@ -192,26 +193,30 @@ public boolean unlockAccount(final Credential credential) throws Throwable {
     }
 
     @Override
-    public boolean isAnswerValidForSecurityQuestion(final PasswordManagementQuery query, final String question,
-                                                    final String knownAnswer, final String givenAnswer) {
-        val url = Strings.CI.appendIfMissing(
-            SpringExpressionLanguageValueResolver.getInstance().resolve(
-                casProperties.getAuthn().getPm().getSyncope().getUrl()),
-            "/rest/users/verifySecurityAnswer");
-        val exec = HttpExecutionRequest.builder()
-            .method(HttpMethod.POST)
-            .url(url)
-            .basicAuthUsername(casProperties.getAuthn().getPm().getSyncope().getBasicAuthUsername())
-            .basicAuthPassword(casProperties.getAuthn().getPm().getSyncope().getBasicAuthPassword())
-            .headers(Map.of(
-                SyncopeUtils.SYNCOPE_HEADER_DOMAIN, casProperties.getAuthn().getPm().getSyncope().getDomain(),
-                HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE,
-                HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE))
-            .parameters(Map.of("username", query.getUsername()))
-            .entity(givenAnswer)
-            .build();
-        val response = Objects.requireNonNull(HttpUtils.execute(exec));
-        return org.springframework.http.HttpStatus.resolve(response.getCode()).is2xxSuccessful();
+    public boolean isAnswerValidForSecurityQuestion(final PasswordManagementQuery query, final String question, final String knownAnswer, final String givenAnswer) {
+        HttpResponse response = null;
+        try {
+            val userSecurityAnswerUrl = Strings.CI.appendIfMissing(SpringExpressionLanguageValueResolver.getInstance()
+                    .resolve(casProperties.getAuthn().getPm().getSyncope().getUrl()),
+                "/rest/users/verifySecurityAnswer");
+
+            LOGGER.debug("Check security answer validity for user [{}]", query.getUsername());
+            val exec = HttpExecutionRequest.builder().method(HttpMethod.POST).url(userSecurityAnswerUrl)
+                .basicAuthUsername(casProperties.getAuthn().getPm().getSyncope().getBasicAuthUsername())
+                .basicAuthPassword(casProperties.getAuthn().getPm().getSyncope().getBasicAuthPassword())
+                .headers(Map.of(
+                    SyncopeUtils.SYNCOPE_HEADER_DOMAIN, casProperties.getAuthn().getPm().getSyncope().getDomain(),
+                    HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE,
+                    HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE))
+                .parameters(Map.of("username", query.getUsername()))
+                .entity(givenAnswer)
+                .maximumRetryAttempts(casProperties.getAuthn().getSyncope().getMaxRetryAttempts())
+                .build();
+            response = Objects.requireNonNull(HttpUtils.execute(exec));
+            return org.springframework.http.HttpStatus.resolve(response.getCode()).is2xxSuccessful();
+        } finally {
+            HttpUtils.close(response);
+        }
     }
 
     protected String fetchSyncopeUserKey(final String username) {

Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,8 @@ for i in {0..4}; do`
`261`	`261`	`"username": '\""syncopepasschange${suffix}\""',`
`262`	`262`	`"password": "Sync0pe",`
`263`	`263`	`"mustChangePassword": true,`
	`264`	`+ "securityQuestion": "'"${SECURITY_QUESTION_KEY}"'",`
	`265`	`+ "securityAnswer": "Rome",`
`264`	`266`	`"plainAttrs": [`
`265`	`267`	`{`
`266`	`268`	`"schema": "email",`