As stated, yes, we do recommend the deployer utilize an iframe *if* their ultimate goal is to embed the login page on their applications pages. Utilizing an iframe will allow the deployer to still participate in single sign on (which would eliminate unnecessary login forms). Screen-scraping and form submission introduces unnecessary work as well as being exceptionally brittle.
This does not mean we are changing our stance that we recommend deployers follow the traditional CAS redirect protocol. Nowhere have we stated otherwise. However, we are aware that deployer's plans may not always fit well with the traditional CAS redirect protocol, and thus we do have recommendations on how best to utilize CAS in these non-traditional settings. As evidenced by the increasing number of successful phishing attacks which appear to work regardless of the craziness of the provided URL, deployers should be aware of phishing attempts and may wish to employ additional measures to decrease the likelihood of a successful attack regardless of whether they embed the login form or redirect the login form. -Scott On 2/26/07, Jason Shao <[EMAIL PROTECTED]> wrote:
Scott Battaglia wrote: > We don't recommend screen scraping (as your application would need to > be updated if the login page changed). What we do recommend is that > you create a minimal login screen and change the last redirect of the > login flow to use JavaScript to handle the redirect. Then embed this > minimal login screen on your application pages with an iframe. This > would allow you to keep your existing login page (though they would be > formatted slightly different depending on how you format the minimal > login screen) and still allow you to participate in single sign on. > > Its very similar to Google Accounts. Is embedding the login page inside an iFrame a practice the community wants to recommend? It seems to open yourself up to social engineering and phishing attacks, since even the minimal protection offered by users looking at the location bar's URL is no longer available. One of CAS's potential benefits would seem to be discouraging users from typing their credentials into just any login box they see... Jason -- Jason Shao Application Developer, Architecture & Engineering Team Rutgers University - Enterprise Systems & Services v. 732-445-2869 | f. 732-445-5493 | [EMAIL PROTECTED] _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
