Jérôme, for us, only assertion.isFromNewLogin() has security relevance, as it doesn't matter on the client side what checkboxes the user ticked on CAS side. The only information that we need on the clients side is to know if this authentication was remembered, as we need to revoke rights (Roles) from this user for the current session in this case. This is needed to deny access to special areas of users profile in the client applications which hold sensitive data. (e.g. shared client computer problem). If the remembered user accesses this sensitive areas, this way we force an interactive relogin. On the client side, we are currently still on Spring Security 2.0.x, so we extended the CasServiceResponse to hold isFromNewLogin.
As we are moving to SpringSec 3.x soon on some of the clients, we also need to support isFromNewLogin on Saml response in CAS. To support isFromNew on client side, we extended CasAuthenticationProvider. Robert Am 19.07.2012 um 20:12 schrieb jleleu: > Hi, > > I re-started working on the remember-me feature that I'd like to see > completely working. > > First, I proposed some improvments to make CAS remember-me work on client > side for Shiro client (see https://issues.apache.org/jira/browse/SHIRO-373) > and Spring Security client (see > https://jira.springsource.org/browse/SEC-1986). The mechanism is mainly based > on the use of the renew parameter to force re-authentication on CAS server > side. I planned subsequently to do the same on Java CAS client and some > evolutions on CAS server also. > > But, Rob Winch, the leader of Spring Security, pointed me out that our > remember-me is not working very well. > > Right now, the test in Saml10SuccessResponseView class to determine if it's a > remember-me is : > final boolean isRemembered = (authentication.getAttributes() > .get(RememberMeCredentials.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME) == > Boolean.TRUE && !assertion .isFromNewLogin()); > > The first part is matched by the fact that the check box "Remember-me" (on > login page) has been checked and the second part means the user has just > filled its login and password. > > That means the first application accessed is not marked in remember-me but > the second one is, even if the browser has not been closed. I would expect to > mark applications with remember-me only after a browser has been closed and > reopened. > > Before creating a JIRA and submitting a pull request to rectify this > behaviour, I would like that we all agree on the definition of what > remember-me is in CAS. > > Thanks. > Best regards, > Jérôme > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > robertoschw...@googlemail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
