Hi, I re-started working on the remember-me feature that I'd like to see completely working.
First, I proposed some improvments to make CAS remember-me work on client side for Shiro client (see https://issues.apache.org/jira/browse/SHIRO-373) and Spring Security client (see https://jira.springsource.org/browse/SEC-1986). The mechanism is mainly based on the use of the renew parameter to force re-authentication on CAS server side. I planned subsequently to do the same on Java CAS client and some evolutions on CAS server also. But, Rob Winch, the leader of Spring Security, pointed me out that our remember-me is not working very well. Right now, the test in Saml10SuccessResponseView class to determine if it's a remember-me is : final boolean isRemembered = (authentication.getAttributes() .get(RememberMeCredentials.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME) == Boolean.TRUE && !assertion .isFromNewLogin()); The first part is matched by the fact that the check box "Remember-me" (on login page) has been checked and the second part means the user has just filled its login and password. That means the first application accessed is not marked in remember-me but the second one is, even if the browser has not been closed. I would expect to mark applications with remember-me only after a browser has been closed and reopened. Before creating a JIRA and submitting a pull request to rectify this behaviour, I would like that we all agree on the definition of what remember-me is in CAS. Thanks. Best regards, Jérôme -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
