Anthony, I've been thinking about this as well. This feature requirement comes up more often than it's pleasant to admit. Especially with uPortal 3 shipping with CAS and the uPortal password caching and replay features built into the framework and used by even more available channels and portlets (email preview, briefcase, and now the open-sourced Toro portlets), I'm thinking this is a feature worth soberly, carefully, centrally, and aggressively optionally, off-by-default, including in the CAS server distribution as a mainstream feature.
Whether it's morally virtuous to use this feature can be left open for debate. I worry that implementing this feature locally multiple times invites redundant effort and local adoption of less-ideal implementations of this feature than could be achieved centrally. If one is going to be passing passwords around with CAS, one wants a solid, considered, secure implementation that passes the information securely and authenticates the the services before giving them the password and that doesn't break anything. It seems a waste to invite people to locally trip over these issues for lack of a shared implementation of this feature. Rutgers/Benn Oshrin have a thread going about where CAS can go next and what additional extension points/features would be welcome. I'll look to engage that thread on this idea and invite you and other interested people to chime in. Andrew Anthony Colebourne wrote: > Hi, > > At the JA-SIG conference last week I spoke to several people about > Patches they were running that leaked the users password back to > specially allowed CASified applications. > > I had several debates about the moral virtues of doing this and realize > that no school wants take responsibility for releasing such a Patch. > > All things considered, I'm going to look into applying this patch > locally. I'm convinced its our only hope of encouraging adoption. > > So, where might one begin when looking to re-write this evil (un)patch? > > Thanks, > Anthony. > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
