Hi Eric, Welcome to the CAS community. :)
You might find this a good starting point for password change, password bootstrapping, etc.: https://github.com/Unicon/cas-password-manager CAS has features for automatically failing login attempts after too many failures too quickly. I posted about that recently here: http://www.unicon.net/blog/apetro/failed_login_attempt_throttling_cas You're right that current CAS doesn't differentiate between failure because of throttling failed login attempts versus failure because the password was wrong. Differentiating is probably a good idea allowing a better user experience, and of course once it was differentiating you could customize the differentiated error message to suggest the password reset opportunity. A common current practice is simply to put the account recovery link on the CAS login form page and users once sufficiently frustrated will click it to recover their account. Hope this helps, Andrew On Tue, Dec 11, 2012 at 12:38 PM, Stein, Eric <[email protected]> wrote: > Hi, > I'm running CAS 3.5.0. I've got a trivial application authenticating > to our database (Yay!). I've now been tasked with adding all the > standard stuff - change password screen, forgot password screen, user > locked out after N failed attempts, etc. I haven't seen any > documentation on the jasig site about doing any of these things. > > I have two webapps right now: > hello-world.war - client application > locus-cas-webapp - a CAS war overlay application > > a) Change password/forgot password - do these go in a third webapp, or > can I put them in locus-cas-webapp? > b) How do I lock out a user if they fail to log in X times? My current > setup would have me updating a column in USER_TABLE. > c) If the user is locked out, I'd like to push them to the "forgot > password" screen. I didn't see any hooks into this kind of behaviour - > how would this be handled? > d) If a user has a temporary password (created by the forgot password > screen and currently tracked in a column in USER_TABLE), how do I > redirect them to the "change password" screen? > > For (c) and (d) it seems like I need a hook into CAS after the > authentication information is entered and either before the > authentication is performed or post-authentication and pre-forwarding. > > I've been doing java forever, but I know nothing about Spring, so please > modulate any answers accordingly. > > Thanks very much, > Eric Stein > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
