Julien, Obtaining an LT is only one additional step and not especially hard to retrieve. People concerned about brute-force should either use something in CAS to throttle IP requests (i.e. the sample code we have) or something at their authentication source level (i.e. password locking after too many failed attempts).
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Fri, Nov 28, 2008 at 3:28 AM, Julien Marchal < [EMAIL PROTECTED]> wrote: > Scott, > But in the web interface you have the ticket 'LT', which complicates > things for an attack in the REST interface we can make brute force attack > more simply. > > Thanks, > > Scott Battaglia a écrit : > > Pascal, > > You should take the same concern with the RESTful API that you would with > the web UI as they can both be used to attempt to determine passwords. > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > On Thu, Nov 27, 2008 at 1:01 PM, Pascal Aubry < > [EMAIL PROTECTED]> wrote: > >> Hi folks, >> Seeing the RestFul API >> (http://www.ja-sig.org/wiki/display/CASUM/RESTful+API), I wonder if >> something is done to prevent from password cracking. Anything to be done >> or does the CAS server already take care of such attacks? >> Thanks, >> PA >> >> -- >> http://perso.univ-rennes1.fr/pascal.aubry >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > > ------------------------------ > > _______________________________________________ > Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
