> Maybe the default ootb CAS login JSP should include a user-facing note to > this effect of reminding folks trying out CAS that the SSO capability won't > work without https (but basic login to one immediate webapp will)?
I'm ambivalent about this. I understand the reasoning: it's a vitally important point that deployers should understand and placing it in their face on the login screen will make it unavoidable. However, you're poisoning the user experience for 99.9% of users when the intended audience is the handful of deployers responsible for the application. I'd like to consider other ways to communicate this information. While it's easy enough to remove, the default UI should be focused on authentication, not communicating to deployers. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
