Team, There is a pending pull [1] that proposes the SimpleTestAuthenticationHandler be renamed to something that is bit more descriptive. The motivation for the pull/JIRA is not only to communicate the actual purpose of the handler, but hopefully in doing that, it would be clearer that the handler should never be used in production.
IMO, ideally, the objective might be to not even allow folks to use the handler at all and simply keep it for internal dev and testing purposes. There have a been a number of suggestions on the pull that I'd like to summarize here first and see if we can all reach an agreement on the most appropriate option: 1. Rename this default handler to MatchingUsernamePasswordAuthenticationHandler: communicates intent, but loses sight that this is a test handler not be used 2. Display a warning on the login page much the http/nonsecure warning that the handler is only for testing purposes and should never be used in production 3. Figure out a way to do away with the handler in the final war: one possible idea might to be force users to explicitly configure handlers and by default, CAS would ship with no handlers at all? -Misagh [1] https://github.com/Jasig/cas/pull/215 -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
