We're looking at that for CAS 4 (in fact, its actually in the CAS4 source code) though CAS4 clearly isn't ready for production :-)
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <[email protected]>wrote: > I haven't tried to implement displaying a message from the backend > authenticator to the user. Perhaps someone else can suggest something? > > I think that password expiry is also a policy that should be handled by > your backend identity system. CAS does not manage the users identity today. > > ------------------------------ > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *hua lu > *Sent:* Friday, 23 January 2009 4:01 a.m. > > *To:* Yale CAS mailing list > *Subject:* RE: can CAS handle 3-strike scenario? > > Dale, > > thanks for the helpful answer. > > So say if we want to implement the 3 strike rule (the DB side to handle the > logic), and to display some specific message (this message is independent > from the regular "your password is incorrect" one) when the user login > incorrectly for more than three times, is it easy to do in CAS? Have you or > somebody have tried to looked at this implementation? which part of the CAS > code should I tackle? > > Actually we have one more scenario: the password will be expired for every > 3 month. Does CAS has any build-in mechanism to handle it? If modification > is needed, what necessary steps need to be done? Any example? > > > regards, > > Lu > > > --- On *Wed, 1/21/09, Dale Ogilvie <[email protected]>* wrote: > > From: Dale Ogilvie <[email protected]> > Subject: RE: can CAS handle 3-strike scenario? > To: "Yale CAS mailing list" <[email protected]> > Date: Wednesday, January 21, 2009, 5:18 PM > > Regarding point 2. > > I believe CAS does not provide this lockout feature. It must be implemented > in the backend authentication system. This makes sense, as any recovery > from lockout would best be done at your backend credential store. Any login > attempt count and locked out flag should be stored alongside your valid > credentials. > > Instead of lockout we use an increasing response delay every time a > user gets the password wrong. This makes brute force attacks impractical, > while still allowing someone who knows the password to get in. This delay > is enforced by the backend authenticator, not by CAS. > > Dale > > ------------------------------ > *From:* [email protected] [mailto:[email protected]] > *On Behalf Of *hua lu > *Sent:* Thursday, 22 January 2009 10:22 a.m. > *To:* [email protected] > *Subject:* can CAS handle 3-strike scenario? > > Hi, all, > > I am new to CAS. Here is my question: > 1. We have a customized encoding java class to encode the password (and > this encrypted password is stored in database). Is there anybody can provide > a concrete example on how to make it happen in configure this encoder? > > 2. Can CAS handle 3-strike rule? if a user logged in (with good username, > but wrong password) unsuccessfully for more than 3 times, the user shall be > displayed with a specific message saying that the account is locked out. Is > there any generally mechanism already built in CAS to handle this scenario? > What kind of code/configuration change is needed? > > Any help on the above topic is greatly appreciated! > > LU > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
