Hello there, We have successfully been using CAS on an beta application using CAS 3.3.1. We implemented a custom authenticationHandler to authenticate a user against our oracle database and a custom CredentialsToPrincipalResolver to read in a user's roles and put the attributes in the Authentication object. In addition we use Spring Security which ties in nicely with CAS using the spring-security-cas beans.
Everything is fine until you get to RememberMe. I was looking at the code and the problem I see is that when the TGT is created is stores the authentication object in the ticket registry and uses that data for rememberMe until the rememberMe expires. So if anything about the users changes in our Oracle DB, CAS will not know about it until the next time the TGT is created. This is quite dangerous as an admin may have removed a user from a role since the TGT was created and using rememberMe CAS will not know about it. Are there any plans to enhance RememberMe so that it we can tell it to fetch the user attributes from our authenticationHandler everytime it creates a service ticket? It would be nice if the custom credential resolver could be invoked with the principalId where we can re-read the user from the database just based on the principalId and no need for the password. Then CAS would need to update the ticket registry with the new Authentication data. This way any changes to the user in the oracle DB can be refreshed in CAS. Otherwise RememberMe is quite dangerous especially our 2-week period. Hopefully this makes sense. If not I can provide some code snippets of what I'd like to see done in the CentralAuthenticationServiceImpl class, specificially the grantServiceTicket method. Thanks much Paul Schmidt Ingenuity Systems -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
