story #15455 feat: upgrade CAS 6 to 7 by Regzox · Pull Request #3439 · ProgrammeVitam/vitam-ui

Regzox · 2025-12-19T15:31:24Z

No description provided.

vitam-prg · 2025-12-19T15:47:37Z

Checkmarx One – Scan Summary & Details – 6618ac5b-aacd-4582-9faa-72f4948ee366

New Issues (62)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CVE-2019-17571	Maven-log4j:log4j-1.2.17	details Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute ar... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2	CVE-2022-23305	Maven-log4j:log4j-1.2.17	details Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters fro... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3	CVE-2022-28890	Maven-org.apache.jena:jena-core-2.11.2	details Recommended version: 4.2.0 Description: A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena ve... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4	CVE-2025-41243	Maven-org.springframework.cloud:spring-cloud-gateway-server-4.3.0	details Recommended version: 4.3.2 Description: Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification in versions 3.1.0 through 3.1.10, 4.0.0 through 4... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5	CVE-2025-64087	Maven-fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker-2.0.3	details Recommended version: 2.2.0 Description: A Server-Side Template Injection (SSTI) vulnerability in the "FreeMarker" component of opensagres XDocReport versions 1.0.0 through 2.1.0 allows at... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6	CVE-2025-65482	Maven-fr.opensagres.xdocreport:fr.opensagres.xdocreport.document-2.0.3	details Recommended version: 2.0.4 Description: An XML External Entity (XXE) vulnerability in opensagres XDocReport versions 0.9.2 through 2.0.3 allows attackers to execute arbitrary code via upl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7	CVE-2026-29000	Maven-org.pac4j:pac4j-jwt-6.1.1	details Recommended version: 6.3.3 Description: pac4j-jwt versions prior to 4.5.9, 5.x prior to 5.7.9, and 6.x prior to 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator wh... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8	CVE-2017-9096	Maven-com.lowagie:itext-2.1.7	details Description: The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML ext... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9	CVE-2021-39239	Maven-org.apache.jena:jena-core-2.11.2	details Recommended version: 4.2.0 Description: A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10	CVE-2021-4104	Maven-log4j:log4j-1.2.17	details Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The atta... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
11	CVE-2022-23302	Maven-log4j:log4j-1.2.17	details Description: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configurati... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12	CVE-2022-23307	Maven-log4j:log4j-1.2.17	details Description: CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0, Chainsaw was a component of Apache Lo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13	CVE-2023-26464	Maven-log4j:log4j-1.2.17	details Description: When using the Chainsaw or SocketAppender components with Log4j versions 1.0.4 prior to 2.0, an attacker that manages to cause a logging entry invo... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14	CVE-2024-22233	Maven-org.springframework:spring-core-6.1.2	details Recommended version: 6.2.11 Description: In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-serv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15	CVE-2024-22234	Maven-org.springframework.security:spring-security-core-6.2.1	details Recommended version: 6.2.8 Description: In Spring Security, versions 6.1.x prior to 6.1.7, 6.2.x prior to 6.2.2, and 6.3.0-M1 an application is vulnerable to broken access control when it... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
16	CVE-2024-22234	Maven-org.springframework.security:spring-security-web-6.2.1	details Recommended version: 6.2.8 Description: In Spring Security, versions 6.1.x prior to 6.1.7, 6.2.x prior to 6.2.2, and 6.3.0-M1 an application is vulnerable to broken access control when it... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
17	CVE-2024-57699	Maven-net.minidev:json-smart-2.5.0	details Recommended version: 2.5.2 Description: A security issue was found in Netplex Json-smart. When loading a specially crafted JSON input, containing a large number of "{", a stack exhaustion... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	CVE-2025-24970	Maven-io.netty:netty-handler-4.1.104.Final	details Recommended version: 4.1.118.Final Description: Netty, an asynchronous, event-driven network application framework, has a vulnerability in version 4.1.91.Final through 4.1.117.Final and 4.2.0.Alp... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19	CVE-2025-41253	Maven-org.springframework.cloud:spring-cloud-gateway-server-4.3.0	details Recommended version: 4.3.2 Description: The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system propertie... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20	CVE-2025-48976	Maven-commons-fileupload:commons-fileupload-1.5	details Recommended version: 1.6.0 Description: Allocation of resources for multipart headers with insufficient limits enabled a Denial of Service (DoS) vulnerability in Apache Commons FileUpload... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21	CVE-2024-12798	Maven-ch.qos.logback:logback-classic-1.4.14	details Recommended version: 1.5.24 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
22	CVE-2024-12798	Maven-ch.qos.logback:logback-core-1.4.14	details Recommended version: 1.5.25 Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
23	CVE-2024-29025	Maven-io.netty:netty-codec-http-4.1.104.Final	details Recommended version: 4.1.129.Final Description: Netty is an asynchronous event-driven network application framework for the rapid development of maintainable high-performance protocol servers & c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24	CVE-2025-31672	Maven-org.apache.poi:poi-ooxml-5.2.5	details Recommended version: 5.4.0 Description: Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file for... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25	CVE-2025-41234	Maven-org.springframework:spring-web-6.1.2	details Recommended version: 6.1.21 Description: In Spring Framework, versions 6.0.x through 6.0.28, 6.1.x through 6.1.20, 6.2.x through 6.2.7, and 7.x through 7.0.0-m5, an application is vulnerab... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
26	CVE-2025-46392	Maven-commons-configuration:commons-configuration-1.10	details Description: Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration versions 1.x. There are a number of issues in Apache Commons Confi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
27	CVE-2025-7962	Maven-org.eclipse.angus:jakarta.mail-2.0.2	details Recommended version: 2.0.4 Description: In Jakarta Mail through 2.0.3 it is possible to preform a SMTP Injection by utilizing the"\r" and "\n" UTF-8 characters to separate different messa... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
28	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 87	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
29	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 73	details The application uses the hard-coded password ACTION_STATE_TRIGGER_CHANGE_PASSWORD for authentication purposes, either using it to verify users... Attack Vector
30	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 81	details The application uses the hard-coded password TEMPLATE_PASSWORD_FORM for authentication purposes, either using it to verify users' identities, or... Attack Vector
31	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/VitamLoginWebflowConfigurer.java: 71	details The application uses the hard-coded password VIEW_STATE_PASSWORD_FORM for authentication purposes, either using it to verify users' identities,... Attack Vector
32	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/resources/static/js/passwordMeter.js: 96	details The application uses the hard-coded password "#password" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
33	CVE-2024-12801	Maven-ch.qos.logback:logback-core-1.4.14	details Recommended version: 1.5.25 Description: Server-Side Request Forgery (SSRF) in "SaxEventRecorder" by QOS.CH logback on the Java platform, allows an attacker to forge requests by compromisi... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
34	Heap_Inspection	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java: 61	details Method doExecute at line 61 of /cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/TriggerChangePasswordAction.java defines d... Attack Vector
35	Heap_Inspection	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/I18NSendPasswordResetInstructionsAction.java: 207	details Method buildPasswordManagementQuery at line 207 of /cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/login/actions/I18NSendPasswordResetIn... Attack Vector
36	Heap_Inspection	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java: 168	details Method changeInternal at line 168 of /cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java defines confirm... Attack Vector
37	Heap_Inspection	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java: 167	details Method changeInternal at line 167 of /cas/cas-server/src/main/java/fr/gouv/vitamui/cas/password/IamPasswordManagementService.java defines passwor... Attack Vector

More results are available on the CxOne platform

Fixed Issues (82)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-web-5.3.22
	~~CVE-2022-1471~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2022-31692~~	Maven-org.springframework.security:spring-security-core-5.7.3
	~~CVE-2023-20873~~	Maven-org.springframework.boot:spring-boot-actuator-autoconfigure-2.7.3
	~~CVE-2023-34034~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2023-34034~~	Maven-org.springframework.security:spring-security-config-5.7.3
	~~CVE-2012-0881~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2013-4002~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2022-31690~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2022-40152~~	Maven-com.fasterxml.woodstox:woodstox-core-6.2.6
	~~CVE-2022-42003~~	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.4
	~~CVE-2022-45688~~	Maven-org.json:json-20160810
	~~CVE-2022-45689~~	Maven-org.json:json-20160810
	~~CVE-2022-45690~~	Maven-org.json:json-20160810
	~~CVE-2023-1370~~	Maven-net.minidev:json-smart-2.4.8
	~~CVE-2023-20860~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2023-2976~~	Maven-com.google.guava:guava-30.1.1-jre
	~~CVE-2023-31582~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~CVE-2023-33265~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-34620~~	Maven-org.hjson:hjson-3.0.0
	~~CVE-2023-38286~~	Maven-org.thymeleaf:thymeleaf-3.0.15.RELEASE
	~~CVE-2023-39685~~	Maven-org.hjson:hjson-3.0.0
	~~CVE-2023-45859~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-45860~~	Maven-com.hazelcast:hazelcast-sql-5.1.3
	~~CVE-2023-45860~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-46120~~	Maven-com.rabbitmq:amqp-client-5.15.0
	~~CVE-2023-5072~~	Maven-org.json:json-20160810
	~~CVE-2023-51775~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~CVE-2023-52428~~	Maven-com.nimbusds:nimbus-jose-jwt-9.24.3
	~~CVE-2024-21634~~	Maven-software.amazon.ion:ion-java-1.0.2
	~~CVE-2025-52999~~	Maven-com.fasterxml.jackson.core:jackson-core-2.13.4
	~~Cx08fcacc9-cb99~~	Maven-org.json:json-20160810
	~~Cx2906ba70-607a~~	Maven-org.json:json-20160810
	~~Cx8bc13cba-30bf~~	Maven-org.bitbucket.b_c:jose4j-0.8.0
	~~Cxdb5a1032-eda2~~	Maven-org.json:json-20160810
	~~CVE-2009-2625~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2015-9251~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2017-10355~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2018-2799~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2019-11358~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2020-11023~~	Maven-org.webjars:jquery-1.12.0
	~~CVE-2020-14338~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2020-15250~~	Maven-junit:junit-4.13
	~~CVE-2021-28170~~	Maven-org.glassfish.web:el-impl-2.2
	~~CVE-2022-22976~~	Maven-org.springframework.security:spring-security-crypto-5.6.1
	~~CVE-2022-23437~~	Maven-xerces:xercesImpl-2.9.1
	~~CVE-2022-38752~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2022-41854~~	Maven-org.yaml:snakeyaml-1.31
	~~CVE-2023-20861~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2023-20862~~	Maven-org.springframework.security:spring-security-config-5.7.3
	~~CVE-2023-20862~~	Maven-org.springframework.security:spring-security-web-5.7.3
	~~CVE-2023-20863~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2023-33264~~	Maven-com.hazelcast:hazelcast-5.1.3
	~~CVE-2023-34055~~	Maven-org.springframework.boot:spring-boot-actuator-2.7.3
	~~CVE-2023-34462~~	Maven-io.netty:netty-handler-4.1.80.Final
	~~CVE-2023-44483~~	Maven-org.apache.santuario:xmlsec-2.3.0
	~~CVE-2024-38808~~	Maven-org.springframework:spring-expression-5.3.22
	~~CVE-2024-38828~~	Maven-org.springframework:spring-webmvc-5.3.22
	~~CVE-2025-8885~~	Maven-org.bouncycastle:bcprov-jdk18on-1.71
	~~Parameter_Tampering~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117
	~~Parameter_Tampering~~	/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/CustomerController.java: 199
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 85
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 193
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-client-legacy/src/main/java/fr/gouv/vitamui/iam/client/CasRestClient.java: 153
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 105
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 106
	~~Privacy_Violation~~	/api/api-iam/iam-commons/src/main/java/fr/gouv/vitamui/iam/common/utils/Pac4jClientBuilder.java: 88
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 76
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 82
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 68
	~~Use_Of_Hardcoded_Password~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 66
	~~CVE-2020-8908~~	Maven-com.google.guava:guava-30.1.1-jre
	~~Heap_Inspection~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/TriggerChangePasswordAction.java: 72
	~~Heap_Inspection~~	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/actions/I18NSendPasswordResetInstructionsAction.java: 197

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

bbenaissa · 2026-02-10T11:18:38Z

+        return authUser.getProfileGroup() != null;
+    }
+
+    private void addAuthenticatedUserAttributes(AuthUserDto authUser, Map<String, List<Object>> attributes) {


Est ce normal que ce traitement est fait coté CAS et pas dans IAM?!

Je ne sais pas. Cependant, ici on fait un login IAM pour obtenir les informations pour construire un Principal dans CAS.

lotfivitam · 2026-02-09T13:51:41Z

+# FIXME: Only for testing purpose. Should setup parametrization ?
+
+cas.authn:
+  oauth.session-replication.cookie.crypto:
+    encryption.key: Fd-b-pjoN82hBdUti9HqzJXgvfs7pFtVYeaKIRhDdNE
+    signing.key: EsCugv7mIHZ3ecx-A5nf_75KsrmVGAWNMXwyEPXDV1jf0nmLrpu0Py6aO62yx4yd_W9_6nhMaGxhE9FQoeP7HQ
+  pac4j.core.session-replication.cookie:
+    name: DISSESSIONAD
+    crypto:
+      encryption.key: 9XnxhG7lfRQS9I5_86j3XQHZc19jZsamU97pDtut__o
+      signing.key: oFaBMTNLfKgCyqJPjxvZbdFhmxBKFgJP2_-rMDatBN91ZlU3eIpq2SYD_5ILHBSa616VEe5c0yUpACWne6TIlg
+  passwordless.tokens.crypto:
+    encryption.key: Bo_9H0xCT220Ogn4hvyrbH-x7j5hTAMcs3M8PdDiJ7w
+    signing.key: b_ZI3StT4vGnTrWIG4e7fdwNzbgQGN9IsqVo29HLqtstClu1ekzQ_d67K6wtQJLQPSU-RVCF31HuB2OfDkq0mA
+  pm.reset.crypto:
+    encryption.key: IG2rGK-5ctqoSWMv52XkZZ9BoMqRBcpjdzwLGJ6yiN0
+    signing.key: xPVQOgj1-ywI-O_5fv5pTkg_bBS6CCXh7Yr9zMQoy2bmCjAJfLoVfycKYw-gERmBDozEGeT72HquVOT1dAZO5Q
+
+cas.webflow.crypto.signing.key: =oebPIRe18A0cAeBdZCHkVlLPa_Kbthxo70iRpAhbk84dQGQj_8AOEMvEg3y7GAKYxtpF5nn6nx7vj5iU-eHStg
+cas.webflow.crypto.encryption.key: 3FzNquczUjhmeJyqu251Ow
+cas.webflow.crypto.encryption.key-size: 128


Must be configurable

J'ai ajouté la possibilité de configurer.

À corriger dans le cadre du bug 12418

lotfivitam

Tout d'abord, bravo pour le taf colossal !

Quelques remarques cependant :

Pas sûr de comprendre l'usage du "passwordless" vs loginform standard, et lequel est utilisé par lequel (côté WebFlow mais aussi écrans). J'ai essayé de générer un diagramme de séquence représentant le WebFlow de login, mais ça s'avère extrêmement complexe à analyser.
Il reste un bon coup de cleaup général (cf commentaires de review)
Prévoir une recette complète des cas avancés (reset de password suite à expiration, reset suite à perte, création de comptes, subrogation user générique, subrogation user nominatif, comptes bloqués, mfa...)

bbenaissa

Il y a plein de modifications faites sur la PR, sur les workflows, ça nécessite une recette approfondie

GiooDev · 2026-03-03T10:14:27Z

+# Crypto configurations
+
+{% macro crypto_block(prefix, keys) %}
+{% if keys is defined %}


Revoir l'indentation des balises {% xxx %} pour faciliter la relecture ;)

GiooDev · 2026-03-03T10:17:56Z

    secret_token: changeit_cas_secret_token
+    crypto:
+      oauth:
+        encryption_key: "my_oauth_encryption_key"


Comment on génère ces keys ?

Est-ce possible de ne pas les configurer ? Et si oui, est-ce que cas en génère par défaut (comme le cas actuel ?).

De plus attention, dans la même sous clé vitamui.cas_server tu mélanges un array et des hash.

Si ça démarre sans mettre ces configurations, je serai d'avis de le séparer dans un ticket dédié pour faire le lien avec le bug 12418.

Je retire ces modifs ça sera pris en compte dans un ticket associé en lien avec le Bug 12418.

GiooDev · 2026-03-03T13:33:55Z

    port_admin: 7001
    cors:
      enabled: true
+    crypto:


Quels sont les cas où l'on devra modifier ces valeurs ?

Si aucun usage à les modifier, ne pas les renseigner ici mais directement dans le rôle associé au niveau de defaults pour éviter de surcharger ce fichier de variables d'éléments dont on ne veut pas qu'ils soient modifiés.

Le cas échéant, les documenter si besoin de les modifier plus tard.

Je sais pas dire si toutes les clés sont nécessaires, mais je ne suis pas fan de mettre des clés crypto par défaut.

Pour un env de dev, c'est pas choquant de laisser CAS les générés (si ça fonctionne sans ces clés dans le application.conf.j2).

Sinon, il faudra les garder paramétrables histoire d'éviter des prods avec des clés d'exemple.

GiooDev · 2026-03-03T16:24:09Z

    secret_token: changeit_cas_secret_token
+    crypto:
+      oauth:
+        encryption_key: "my_oauth_encryption_key"


Si ça démarre sans mettre ces configurations, je serai d'avis de le séparer dans un ticket dédié pour faire le lien avec le bug 12418.

bbenaissa · 2026-03-05T13:17:04Z

+@RequiredArgsConstructor
+public class IamApiDecorator {
+
+    private static final String DEFAULT_SERVICE_ACCOUNT = "admin@change-it.fr";


je ne comprend pas l'utilité de ce décorateur

Avec l’ancienne API, le contexte était passé lors de l’appel du client.

J’avais mis en place un RestTemplateCustomizer qui ne peuplait le contexte qu’au moment de l’exécution effective de la requête HTTP.

Le problème est que le client tentait d’utiliser ce contexte trop tôt, alors qu’il n’était pas encore initialisé, notamment pour construire les headers de la requête.

Le décorateur permet désormais d’initialiser le contexte avant l’appel du client, puis de le nettoyer automatiquement une fois l’appel terminé.

lotfivitam · 2026-03-03T07:32:28Z

  cas_server:
    # Secret internal token for CAS to vitam-ui communication
    secret_token: changeit_cas_secret_token
+    crypto:


Si on édite vault-vitamui.yml.example, il faut éditer vault-vitamui.yml au lieu de vitamui_vars.yml

lotfivitam · 2026-03-03T07:34:08Z

    port_admin: 7001
    cors:
      enabled: true
+    crypto:


à déplacer dans vault-vitamui.yml

lotfivitam · 2026-03-06T07:46:59Z

            action,
            CasWebflowConstants.TRANSITION_ID_TICKET_GRANTING_TICKET_NOT_EXISTS,
-            CasWebflowConstants.STATE_ID_GATEWAY_REQUEST_CHECK
+            ACTION_STATE_CHECK_SUBROGATION


Je comprend qu'on veuille ajouter un step pour traiter la subrogation séparément, mais le code de CheckSubrogationAction est au final assez redondant avec une bonne partie de CustomDelegatedClientAuthenticationAction. Est-ce normal?

Aussi, est-ce le bon état de départ pour ce check? (risque d'avoir un saut dans le workflow qui causerait ce traitement d'être skippé)

Corrigé dans story #15813 refactor(cas): check subrogation action

On ne bypass plus les étapes, on proceed et laisse faire le flow actuel.

GiooDev · 2026-03-06T10:12:50Z

    secret_token: changeit_cas_secret_token
+    crypto:
+      oauth:
+        encryption_key: "my_oauth_encryption_key"


Je retire ces modifs ça sera pris en compte dans un ticket associé en lien avec le Bug 12418.

GiooDev · 2026-03-06T10:15:40Z

  "OIDC_CONFIG": {
    "issuer": "{{ vitamui.cas_server.base_url | default(url_prefix+'/cas') }}/oidc",
-    "redirectUri": "?",
+    "redirectUri": "{{ vitamui.ui_portal.base_url | default(url_prefix+'/') }}",


C'était un bug ça ? Qu'on doit backporter ?

C'est peut-être à cause de ça que la redirection en http ne fonctionne actuellement pas sur l'url oidc ?

GiooDev · 2026-03-06T10:20:53Z

-management.metrics.export.prometheus.enabled: true
+management.prometheus.metrics.export.enabled: true

 {% if sms.enabled|lower == "true" %}


À vérifier si on peut maintenant réellement désactiver le sms car à l'époque il y avait un bug qui empêchait cas de démarrer en cas de désactivation.

Configuration sms renseignée dans deployment/environments/group_vars/all/infra.yml.

GiooDev · 2026-03-06T13:06:01Z

Poursuite des travaux dans le cadre de la Story 15813.

Regzox added this to the IT 163 milestone Dec 19, 2025

Regzox added the VAS VAS contribution label Dec 19, 2025

Regzox self-assigned this Dec 19, 2025

Regzox marked this pull request as draft December 19, 2025 15:32

Regzox force-pushed the story_15455 branch 3 times, most recently from 913c13d to 4f8e575 Compare January 15, 2026 10:32

Regzox force-pushed the story_15455 branch 5 times, most recently from c6ebb8d to 0f3f935 Compare February 3, 2026 14:32

Regzox marked this pull request as ready for review February 5, 2026 14:34

GiooDev added the Highlight Important feature for release note label Feb 5, 2026

lotfivitam requested review from bbenaissa and lotfivitam February 10, 2026 13:36

bbenaissa reviewed Feb 10, 2026

View reviewed changes

lotfivitam reviewed Feb 12, 2026

View reviewed changes

lotfivitam reviewed Feb 14, 2026

View reviewed changes

Regzox force-pushed the story_15455 branch 10 times, most recently from a06ca5d to 1932f5a Compare February 17, 2026 14:04

bbenaissa reviewed Feb 17, 2026

View reviewed changes

Comment thread cas/cas-server/src/main/java/fr/gouv/vitamui/cas/config/AppConfig.java Outdated