Password Management Token & Server/Client IP Address check

api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/support/pm/PasswordManagementProperties.java

@@ -249,6 +249,16 @@ public static class Reset implements Serializable {
          */
         private boolean securityQuestionsEnabled = true;
 
+        /**
+         * Whether the Password Management Token will contain the server IP Address.
+         */
+        private boolean includeServerIpAddress = true;
+
+        /**
+         * Whether the Password Management Token will contain the client IP Address.
+         */
+        private boolean includeClientIpAddress = true;
+
         /**
          * How long in minutes should the password expiration link remain valid.
          */

docs/cas-server-documentation/configuration/Configuration-Properties.md

@@ -5298,6 +5298,9 @@ To learn more about this topic, [please review this guide](../installation/Passw
 
 # cas.authn.pm.reset.expirationMinutes=1
 # cas.authn.pm.reset.securityQuestionsEnabled=true
+# Whether the Password Management Token will contain the client or server IP Address.
+# cas.authn.pm.reset.includeServerIpAddress=true
+# cas.authn.pm.reset.includeClientIpAddress=true
 
 # Automatically log in after successful password change
 # cas.authn.pm.autoLogin=false

support/cas-server-support-pm-core/src/main/java/org/apereo/cas/pm/BasePasswordManagementService.java

@@ -59,6 +59,7 @@ public String parseToken(final String token) {
         try {
             val json = this.cipherExecutor.decode(token);
             val claims = JwtClaims.parse(json);
+            val resetProperties = properties.getReset();
 
             if (!claims.getIssuer().equals(issuer)) {
                 LOGGER.error("Token issuer does not match CAS");
@@ -74,11 +75,11 @@ public String parseToken(final String token) {
             }
 
             val holder = ClientInfoHolder.getClientInfo();
-            if (!claims.getStringClaimValue("origin").equals(holder.getServerIpAddress())) {
+            if (resetProperties.isIncludeServerIpAddress() && !claims.getStringClaimValue("origin").equals(holder.getServerIpAddress())) {
                 LOGGER.error("Token origin server IP address does not match CAS");
                 return null;
             }
-            if (!claims.getStringClaimValue("client").equals(holder.getClientIpAddress())) {
+            if (resetProperties.isIncludeClientIpAddress() && !claims.getStringClaimValue("client").equals(holder.getClientIpAddress())) {
                 LOGGER.error("Token client IP address does not match CAS");
                 return null;
             }
@@ -102,16 +103,21 @@ public String createToken(final String to) {
         try {
             val token = UUID.randomUUID().toString();
             val claims = new JwtClaims();
+            val resetProperties = properties.getReset();
             claims.setJwtId(token);
             claims.setIssuer(issuer);
             claims.setAudience(issuer);
-            claims.setExpirationTimeMinutesInTheFuture(properties.getReset().getExpirationMinutes());
+            claims.setExpirationTimeMinutesInTheFuture(resetProperties.getExpirationMinutes());
             claims.setIssuedAtToNow();
 
             val holder = ClientInfoHolder.getClientInfo();
             if (holder != null) {
-                claims.setStringClaim("origin", holder.getServerIpAddress());
-                claims.setStringClaim("client", holder.getClientIpAddress());
+                if (resetProperties.isIncludeServerIpAddress()) {
+                    claims.setStringClaim("origin", holder.getServerIpAddress());
+                }
+                if (resetProperties.isIncludeClientIpAddress()) {
+                    claims.setStringClaim("client", holder.getClientIpAddress());
+                }
             }
             claims.setSubject(to);
             LOGGER.debug("Creating password management token for [{}]", to);