Just to get an idea how we handle Remember Me:
We use CAS Remember Me since the beginning (we are the sponsors of this
feature) and here is how we use it:
- Note: Remember Me in the Applications Spring Security is disabled, so we use
only CAS Remember Me.
- As we do not use SAML response yet, we extended the validation response to
signal remember me to the CAS clients. So we extended
casServiceValidationSuccess.jsp with:
<cas:attributes>
<cas:isFromNewLogin>${fn:escapeXml(assertion.fromNewLogin)}</cas:isFromNewLogin2>
<!-- If it is not from a new login, it is a Remember Me login -->
</cas:attributes>
- in all CAS client applications, it's only allowed to access non-critical
pages with a Remembered login. If user accesses a critical page, we force a CAS
relogin.
For Spring Security based clients, we extended the CasAuthenticationProvider to
check the validation response for a remembered login.
Technically, we reduce the users current roles if remember Me login was
perfomed so an access to critical pages is denied.
Hope it helps a bit.
Robert
Am 08.05.2012 um 07:56 schrieb jleleu:
> Hi Max,
>
> I hope that someone could find a good solution...
>
> I remember also having trouble with the different levels of authentication
> (CAS remember me and CAS authentication by login/password) inside the same
> application because both are based on CAS : changing from weak to strong
> level forced me use the renew parameter to make CAS server "forget" the
> previous authentication...
>
> Does it worth it ? I think it depends on your application. CAS remember-me is
> less secured than CAS login/password authentication, but it's still secured
> as your identity is held by a secured cookie only send to the CAS server.
> If your application is not critical (just displaying not critical user
> information), I would consider remember me authentication as a regular CAS
> authentication. If your application allows its users to buy stuffs or such
> critical actions, I think you can't escape supporting properly the CAS
> remember me mode.
>
> Keep me informed on how you handle CAS remember me mode in Spring Security.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
