Testing CAS 3.5.2 against LDAP (via JAAS) for authentication. Recalled many LDAP operations are case IN-sensitive, including BIND, so username 'fred' could be entered as 'FRED', 'FrEd', etc. and still succeed with the correct password. This, in itself, is not necessarily a problem.
However, when using username+password authentication, the literal username entered by the client is returned to the CAS client (cf. serviceValidate). I enter 'FrEd' and the application sees 'FrEd' instead of 'fred' or whatever it might be expecting. Certain applications could end up with split personalities, so to speak. What got me to thinking about this was a question on dealing with auto-capitalization by mobile devices. I see a number of ways to approach normalizing the username: 1 - Use autocorrect and autocapitalize attributes on HTML input's. 2 - JavaScript to 'normalize' (lowercase for us) a username on POST. 3 - Inject something bean- or EL-like into the CAS server configuration. 4 - Implement a PrincipalNameTransformer that normalizes the username. 5 - Figure out how to query the directory for the known/normalized username, and re-inject back into the UsernamePasswordCredentials object. Could do 1 and 2 easily enough, though it could be bypassed by e.g. a browser with JavaScript disabled. Option 4 seems the most satisfying from a programming standpoint, though also seems the least flexible from an operational/maintenance point of view wrt any policy change. Think I'd prefer #3, though am not seeing how/where offhand. E.g. login-webflow.xml, cas-servlet.xml, applicationContext.xml, ...? Think it makes sense to normalize before the TGT is generated. Not afraid to write code, but hope to keep things as 'vanilla' as possible. Thanks for thoughts/ideas/suggestions on approaching this. Tom. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
