story #15455 feat: upgrade CAS 6 to 7 by Regzox · Pull Request #3439 · ProgrammeVitam/vitam-ui

Regzox · 2025-12-19T15:31:24Z

No description provided.

vitam-prg · 2025-12-19T15:47:37Z

Checkmarx One – Scan Summary & Details – 6c9564e7-2ec6-4b78-98f8-d8bf776db11b

New Issues (67)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CVE-2019-17571	Maven-log4j:log4j-1.2.17	details Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute ar... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2	CVE-2022-23305	Maven-log4j:log4j-1.2.17	details Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters fro... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3	CVE-2022-28890	Maven-org.apache.jena:jena-core-2.11.2	details Recommended version: 4.2.0 Description: A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena ve... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4	CVE-2025-41243	Maven-org.springframework.cloud:spring-cloud-gateway-server-4.3.0	details Recommended version: 4.3.2 Description: Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification in versions 3.1.0 through 3.1.10, 4.0.0 through 4... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5	CVE-2025-64087	Maven-fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker-2.0.3	details Recommended version: 2.2.0 Description: A Server-Side Template Injection (SSTI) vulnerability in the "FreeMarker" component of opensagres XDocReport versions 1.0.0 through 2.1.0 allows at... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6	CVE-2025-65482	Maven-fr.opensagres.xdocreport:fr.opensagres.xdocreport.document-2.0.3	details Recommended version: 2.0.4 Description: An XML External Entity (XXE) vulnerability in opensagres XDocReport versions 0.9.2 through 2.0.3 allows attackers to execute arbitrary code via upl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7	CVE-2017-9096	Maven-com.lowagie:itext-2.1.7	details Description: The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML ext... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8	CVE-2021-39239	Maven-org.apache.jena:jena-core-2.11.2	details Recommended version: 4.2.0 Description: A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9	CVE-2021-4104	Maven-log4j:log4j-1.2.17	details Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The atta... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
10	CVE-2022-23302	Maven-log4j:log4j-1.2.17	details Description: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configurati... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11	CVE-2022-23307	Maven-log4j:log4j-1.2.17	details Description: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Lo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12	CVE-2023-26464	Maven-log4j:log4j-1.2.17	details Description: When using the Chainsaw or SocketAppender components with Log4j versions 1.0.4 prior to 2.0, an attacker that manages to cause a logging entry invo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13	CVE-2024-22233	Maven-org.springframework:spring-core-6.1.2	details Recommended version: 6.2.11 Description: In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-serv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14	CVE-2024-22234	Maven-org.springframework.security:spring-security-web-6.2.1	details Recommended version: 6.2.8 Description: In Spring Security, versions 6.1.x prior to 6.1.7, 6.2.x prior to 6.2.2, and 6.3.0-M1 an application is vulnerable to broken access control when it... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
15	CVE-2024-22234	Maven-org.springframework.security:spring-security-core-6.2.1	details Recommended version: 6.2.8 Description: In Spring Security, versions 6.1.x prior to 6.1.7, 6.2.x prior to 6.2.2, and 6.3.0-M1 an application is vulnerable to broken access control when it... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
16	CVE-2024-57699	Maven-net.minidev:json-smart-2.5.0	details Recommended version: 2.5.2 Description: A security issue was found in Netplex Json-smart. When loading a specially crafted JSON input, containing a large number of "{", a stack exhaustion... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17	CVE-2025-24970	Maven-io.netty:netty-handler-4.1.104.Final	details Recommended version: 4.1.118.Final Description: Netty, an asynchronous, event-driven network application framework, has a vulnerability in version 4.1.91.Final through 4.1.117.Final and 4.2.0.Alp... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	CVE-2025-41253	Maven-org.springframework.cloud:spring-cloud-gateway-server-4.3.0	details Recommended version: 4.3.2 Description: The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system propertie... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19	CVE-2025-48976	Maven-commons-fileupload:commons-fileupload-1.5	details Recommended version: 1.6.0 Description: Allocation of resources for multipart headers with insufficient limits enabled a Denial of Service (DoS) vulnerability in Apache Commons FileUpload... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20	CVE-2026-27903	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21	CVE-2026-27903	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22	CVE-2026-27904	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23	CVE-2026-27904	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24	CVE-2026-27970	Npm-@angular/core-19.2.18	details Recommended version: 19.2.19 Description: Angular is a development platform for building mobile and desktop web applications using TypeScript, JavaScript, and other languages. Versions prio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25	Passwords And Secrets - Generic Password	/vitamui_vars.yml: 243	details Query to find passwords and secrets in infrastructure code.
26	CVE-2024-12798	Maven-ch.qos.logback:logback-classic-1.4.14	details Recommended version: 1.5.13 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
27	CVE-2024-12798	Maven-ch.qos.logback:logback-core-1.4.14	details Recommended version: 1.5.25 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
28	CVE-2024-29025	Maven-io.netty:netty-codec-http-4.1.104.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for the rapid development of maintainable high-performance protocol servers & c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
29	CVE-2025-31672	Maven-org.apache.poi:poi-ooxml-5.2.5	details Recommended version: 5.4.0 Description: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file for... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
30	CVE-2025-41234	Maven-org.springframework:spring-web-6.1.2	details Recommended version: 6.1.21 Description: In Spring Framework, versions 6.0.x through 6.0.28, 6.1.x through 6.1.20, 6.2.x through 6.2.7, and 7.x through 7.0.0-m5, an application is vulnerab... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
31	CVE-2025-46392	Maven-commons-configuration:commons-configuration-1.10	details Description: Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration versions 1.x. There are a number of issues in Apache Commons Confi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
32	CVE-2025-7962	Maven-org.eclipse.angus:jakarta.mail-2.0.2	details Recommended version: 2.0.4 Description: In Jakarta Mail through 2.0.3 it is possible to preform a SMTP Injection by utilizing the"\r" and "\n" UTF-8 characters to separate different messa... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
33	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 87	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
34	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 73	details The application uses the hard-coded password ACTION_STATE_TRIGGER_CHANGE_PASSWORD for authentication purposes, either using it to verify users... Attack Vector
35	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 81	details The application uses the hard-coded password TEMPLATE_PASSWORD_FORM for authentication purposes, either using it to verify users' identities, or... Attack Vector
36	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 71	details The application uses the hard-coded password VIEW_STATE_PASSWORD_FORM for authentication purposes, either using it to verify users' identities,... Attack Vector
37	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/resources/static/js/passwordMeter.js: 96	details The application uses the hard-coded password "#password" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
38	CVE-2024-12801	Maven-ch.qos.logback:logback-core-1.4.14	details Recommended version: 1.5.25 Description: Server-Side Request Forgery (SSRF) in "SaxEventRecorder" by QOS.CH logback on the Java platform, allows an attacker to forge requests by compromisi... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
39	Heap_Inspection	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java: 61	details Method doExecute at line 61 of /cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java defines d... Attack Vector

More results are available on the CxOne platform

Fixed Issues (83)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-web-5.3.22
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2022-1471~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2022-31692~~	Maven-org.springframework.security:spring-security-core-5.7.3
	~~CVE-2023-20873~~	Maven-org.springframework.boot:spring-boot-actuator-autoconfigure-2.7.3
	~~CVE-2023-34034~~	Maven-org.springframework.security:spring-security-config-5.7.3
	~~CVE-2023-34034~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2012-0881~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2013-4002~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2022-31690~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2022-40152~~	Maven-com.fasterxml.woodstox:woodstox-core-6.2.6
	~~CVE-2022-42003~~	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.4
	~~CVE-2022-45688~~	Maven-org.json:json-20160810
	~~CVE-2022-45689~~	Maven-org.json:json-20160810
	~~CVE-2022-45690~~	Maven-org.json:json-20160810
	~~CVE-2023-1370~~	Maven-net.minidev:json-smart-2.4.8
	~~CVE-2023-20860~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2023-2976~~	Maven-com.google.guava:guava-30.1.1-jre
	~~CVE-2023-31582~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~CVE-2023-33265~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-34620~~	Maven-org.hjson:hjson-3.0.0
	~~CVE-2023-38286~~	Maven-org.thymeleaf:thymeleaf-3.0.15.RELEASE
	~~CVE-2023-39685~~	Maven-org.hjson:hjson-3.0.0
	~~CVE-2023-45859~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-45860~~	Maven-com.hazelcast:hazelcast-sql-5.1.3
	~~CVE-2023-45860~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-46120~~	Maven-com.rabbitmq:amqp-client-5.15.0
	~~CVE-2023-5072~~	Maven-org.json:json-20160810
	~~CVE-2023-51775~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~CVE-2023-52428~~	Maven-com.nimbusds:nimbus-jose-jwt-9.24.3
	~~CVE-2024-21634~~	Maven-software.amazon.ion:ion-java-1.0.2
	~~CVE-2025-52999~~	Maven-com.fasterxml.jackson.core:jackson-core-2.13.4
	~~Cx08fcacc9-cb99~~	Maven-org.json:json-20160810
	~~Cx2906ba70-607a~~	Maven-org.json:json-20160810
	~~Cx8bc13cba-30bf~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~Cxdb5a1032-eda2~~	Maven-org.json:json-20160810
	~~Passwords And Secrets - Generic Password~~	/vitamui_vars.yml: 220
	~~CVE-2009-2625~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2015-9251~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2017-10355~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2018-2799~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2019-11358~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2020-11023~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2020-14338~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2020-15250~~	Maven-junit:junit-4.13
	~~CVE-2021-28170~~	Maven-org.glassfish.web:el-impl-2.2
	~~CVE-2022-22976~~	Maven-org.springframework.security:spring-security-crypto-5.6.1
	~~CVE-2022-23437~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2022-38752~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2022-41854~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2023-20861~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2023-20862~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2023-20862~~	Maven-org.springframework.security:spring-security-config-5.7.3
	~~CVE-2023-20863~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2023-33264~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-34055~~	Maven-org.springframework.boot:spring-boot-actuator-2.7.3
	~~CVE-2023-34462~~	Maven-io.netty:netty-handler-4.1.80.Final
	~~CVE-2023-44483~~	Maven-org.apache.santuario:xmlsec-2.3.0
	~~CVE-2024-38808~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2024-38828~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2025-8885~~	Maven-org.bouncycastle:bcprov-jdk18on-1.71
	~~Parameter_Tampering~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117
	~~Parameter_Tampering~~	/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/CustomerController.java: 199
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 85
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 193
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 105
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 106
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 88
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 76
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 82
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 68
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 66
	~~CVE-2020-8908~~	Maven-com.google.guava:guava-30.1.1-jre
	~~Heap_Inspection~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordAction.java: 72
	~~Heap_Inspection~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/I18NSendPasswordResetInstructionsAction.java: 197

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

api/api-iam/iam-client/pom.xml

...i-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/IdentityProviderHelper.java

api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java

...iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/CustomTokenValidatorTest.java

...i-iam/iam-commons/src/test/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilderTest.java

...s-server/src/main/java/fr/gouv/vitamui/cas/authentication/LoginPwdAuthenticationHandler.java

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java

bbenaissa · 2026-02-10T11:18:38Z

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserPrincipalResolver.java

+        return authUser.getProfileGroup() != null;
+    }
+
+    private void addAuthenticatedUserAttributes(AuthUserDto authUser, Map<String, List<Object>> attributes) {


Est ce normal que ce traitement est fait coté CAS et pas dans IAM?!

Je ne sais pas. Cependant, ici on fait un login IAM pour obtenir les informations pour construire un Principal dans CAS.

lotfivitam · 2026-02-09T13:51:41Z

deployment/roles/vitamui/templates/cas-server/application.yml.j2

+# FIXME: Only for testing purpose. Should setup parametrization ?
+
+cas.authn:
+  oauth.session-replication.cookie.crypto:
+    encryption.key: Fd-b-pjoN82hBdUti9HqzJXgvfs7pFtVYeaKIRhDdNE
+    signing.key: EsCugv7mIHZ3ecx-A5nf_75KsrmVGAWNMXwyEPXDV1jf0nmLrpu0Py6aO62yx4yd_W9_6nhMaGxhE9FQoeP7HQ
+  pac4j.core.session-replication.cookie:
+    name: DISSESSIONAD
+    crypto:
+      encryption.key: 9XnxhG7lfRQS9I5_86j3XQHZc19jZsamU97pDtut__o
+      signing.key: oFaBMTNLfKgCyqJPjxvZbdFhmxBKFgJP2_-rMDatBN91ZlU3eIpq2SYD_5ILHBSa616VEe5c0yUpACWne6TIlg
+  passwordless.tokens.crypto:
+    encryption.key: Bo_9H0xCT220Ogn4hvyrbH-x7j5hTAMcs3M8PdDiJ7w
+    signing.key: b_ZI3StT4vGnTrWIG4e7fdwNzbgQGN9IsqVo29HLqtstClu1ekzQ_d67K6wtQJLQPSU-RVCF31HuB2OfDkq0mA
+  pm.reset.crypto:
+    encryption.key: IG2rGK-5ctqoSWMv52XkZZ9BoMqRBcpjdzwLGJ6yiN0
+    signing.key: xPVQOgj1-ywI-O_5fv5pTkg_bBS6CCXh7Yr9zMQoy2bmCjAJfLoVfycKYw-gERmBDozEGeT72HquVOT1dAZO5Q
+
+cas.webflow.crypto.signing.key: =oebPIRe18A0cAeBdZCHkVlLPa_Kbthxo70iRpAhbk84dQGQj_8AOEMvEg3y7GAKYxtpF5nn6nx7vj5iU-eHStg
+cas.webflow.crypto.encryption.key: 3FzNquczUjhmeJyqu251Ow
+cas.webflow.crypto.encryption.key-size: 128


Must be configurable

J'ai ajouté la possibilité de configurer.

...api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/customer/config/CustomerInitConfig.java

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/util/Constants.java

cas/cas-server/src/main/config/sass/_login.scss

cas/cas-server/src/main/config/cas-server-application-dev.yml

cas/cas-server/pom.xml

bom/pom.xml

cas/cas-server/pom.xml

lotfivitam · 2026-02-12T16:31:18Z

cas/cas-server/pom.xml

+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven.compiler.plugin.version}</version>
+                <configuration>
+                    <annotationProcessorPaths>
+                        <path>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                            <version>${lombok.version}</version>
+                        </path>
+                    </annotationProcessorPaths>
+                </configuration>
+            </plugin>


Supprimable?

lotfivitam

Tout d'abord, bravo pour le taf colossal !

Quelques remarques cependant :

Pas sûr de comprendre l'usage du "passwordless" vs loginform standard, et lequel est utilisé par lequel (côté WebFlow mais aussi écrans). J'ai essayé de générer un diagramme de séquence représentant le WebFlow de login, mais ça s'avère extrêmement complexe à analyser.
Il reste un bon coup de cleaup général (cf commentaires de review)
Prévoir une recette complète des cas avancés (reset de password suite à expiration, reset suite à perte, création de comptes, subrogation user générique, subrogation user nominatif, comptes bloqués, mfa...)

...erver/src/main/java/fr/gouv/vitamui/cas/passwordless/CustomPasswordlessUserAccountStore.java

...va/fr/gouv/vitamui/cas/passwordless/CustomVerifyPasswordlessAccountAuthenticationAction.java

cas/cas-server/src/main/resources/templates/passwordless/casPasswordlessGetUserIdView.html

...erver/src/main/java/fr/gouv/vitamui/cas/passwordless/CustomPasswordlessUserAccountStore.java

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java

cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/WebflowConfig.java

Regzox added this to the IT 163 milestone Dec 19, 2025

Regzox added the VAS VAS contribution label Dec 19, 2025

Regzox self-assigned this Dec 19, 2025

Regzox marked this pull request as draft December 19, 2025 15:32

Regzox force-pushed the story_15455 branch 3 times, most recently from 913c13d to 4f8e575 Compare January 15, 2026 10:32

Regzox force-pushed the story_15455 branch 5 times, most recently from c6ebb8d to 0f3f935 Compare February 3, 2026 14:32

Regzox marked this pull request as ready for review February 5, 2026 14:34

GiooDev added the Highlight Important feature for release note label Feb 5, 2026

lotfivitam requested review from bbenaissa and lotfivitam February 10, 2026 13:36

bbenaissa reviewed Feb 10, 2026

View reviewed changes

lotfivitam reviewed Feb 12, 2026

View reviewed changes

lotfivitam reviewed Feb 14, 2026

View reviewed changes

Regzox force-pushed the story_15455 branch 10 times, most recently from a06ca5d to 1932f5a Compare February 17, 2026 14:04

Regzox added 27 commits February 27, 2026 16:20

story #15455 clean: pom and annotations

a26b0a9

story #15455: remove useless items

d7008d3

story #15455 pom: upgrade cas version

a3f13cb

story #15455 fix: iam crashes

5504598

story #15455 fix: remove passwordless feature

caa3198

story #15455 fix: override token validator method

f47b715

story #15455 fix: trigger change password action

69d8311

story #15455 fix: trigger change password action

09743dd

story #15455 fix: remove fixme

ac98e01

story #15455 fix: remove passwordless templates

e268e20

story #15455 fix: remove unused consent.js

9c786d0

story #15455 fix: remove unused js files

1647add

story #15455 fix: remove geo feature from cas.js

87f9327

story #15455 fix: remove geo feature from cas.js

7f86952

story #15455 fix: service username magic var

b0f9a62

story #15455 fix: remove commented code

dfd27e5

story #15455 fix: client http context

bac2468

story #15455: change fixme about vitam client null provider id problem

ef51b12

story #15455: clean poms

ce51785

story #15455: clean cas-server pom

13851a4

story #15455: clean deps

264615f

story #15455: remove commented code

ed910c1

story #15455: fix javadoc spacings

dcb64f0

story #15455: key parametrization

8afceb4

story #15455 deploy: add parametrizable crypto configs

8199de4

story #15455 deploy: fix cookie_name condition

7b887fe

story #15455 deploy: fix key-size property presence

ecec3f7

Regzox force-pushed the story_15455 branch from f4adc53 to ecec3f7 Compare February 27, 2026 15:20

Regzox added 2 commits February 27, 2026 16:55

story #15455 fix: infinite redirect loop when crypto no fully enabled

cc3e435

story #15455 deploy: improve crypto blocks

c3988f2

Conversation

Regzox commented Dec 19, 2025

Uh oh!

vitam-prg commented Dec 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bbenaissa Feb 10, 2026

Choose a reason for hiding this comment

Uh oh!

Regzox Feb 16, 2026

Choose a reason for hiding this comment

Uh oh!

lotfivitam Feb 9, 2026

Choose a reason for hiding this comment

Uh oh!

Regzox Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

lotfivitam Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

Regzox Feb 19, 2026

Choose a reason for hiding this comment

Uh oh!

lotfivitam left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

vitam-prg commented Dec 19, 2025 •

edited

Loading