The CAS project has not introduced or un-introduced any feature related to
autocomplete within the CAS project. Autocomplete is a browser-specific
feature. What you are talking about are example JSP pages that are used for
part of the demo WAR and potentially as a basis for local customizations
that is lacking an attribute that hints to the browser not to use
autocomplete on a particular field.
You are, however, correct that as an example of "best practices" the JSP
page should utilize the autocomplete feature (the move to the Spring Form
tags accidentally removed that). I've opened a JIRA issue and added the
attributes.
We encourage all deployers to look to the sample JSP pages as a good example
of what they will need, but they should always evaluate their local needs
and security concerns before deploying a production instance of CAS.
-Scott
On Tue, Mar 11, 2008 at 9:14 AM, jehan procaccia <
[EMAIL PROTECTED]> wrote:
> hello
>
> since I upgraded to cas 3.1.2, I noticed that by default users can now
> "remember" typed password :-( !
> I removed that "feature" by setting autocomplete="off" in the
> corresponding jsp:
>
> [EMAIL PROTECTED]
> ~/cas-toolbox-3.1.2-1/custom.tmsp1/webpages/WEB-INF/view/jsp/tmsp1Vues/ui]
> $ grep "autocomplete=\"off\"" casLoginView.jsp
> <form:password cssClass="required" cssErrorClass="error" id="password"
> size="25" tabindex="2" path="password"
> accesskey="${passwordAccessKey}" autocomplete="off" htmlEscape="true" />
>
> Is there a reason why this remembering feature had been reintroduced ?
> Older realeases didn't allowed that by default.
> It seems to me as beeing a security issue !?
>
> Thanks.
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
