Changing one's password is something that happens independent of
your single sign on session. It can happen because you've noticed
an expired password or it can happen because someone decided to
change their password.
In the former case, all CAS can do is redirect you to the
appropriate application within your institution.
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Fri, Jan 23, 2009 at 3:02 PM, Chris Roffler
<[email protected]> wrote:
Scott,
This issue has been on the plate for a long time ( perhaps you
embmer me harping on this some time back :)
What's it going to take to convince you ? :-)
Chris
----- Original Message -----
From: Scott Battaglia
To: [email protected];Yale CAS mailing list
Sent: 1/23/2009 8:42:29 PM
Subject: Re: can CAS handle 3-strike scenario?
At the moment all I'm saying is that we'll be supporting relaying
messages from backend systems (i.e. your password expired, account
locked, etc.). Integration with other systems to change passwords
would be a complimentary but probably separate system.
That's just my 3 second thought on the matter. I can probably be
convinced otherwise :-)
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Fri, Jan 23, 2009 at 1:07 PM, Chris Roffler
<[email protected]> wrote:
Sorry to jump in here ....
Scott, are you saying that CAS4 will support back end change of
password when back end reports expiration ( like LDAP) ?
Chris
----- Original Message -----
From: Scott Battaglia
To: [email protected];Yale CAS mailing list
Sent: 1/23/2009 8:00:03 PM
Subject: Re: can CAS handle 3-strike scenario?
If I had to guess,I'd have to say closer to 3 months.
Sent from my iPod
On Jan 23, 2009, at 10:23 AM, hua lu <[email protected]> wrote:
Scott,
thanks for the info.
When do you think that CS4 will be ready? any possibility in the
next month or two?
regards,
Lu
--- On Thu, 1/22/09, Scott Battaglia <[email protected]>
wrote:
From: Scott Battaglia <[email protected]>
Subject: Re: can CAS handle 3-strike scenario?
To: "Yale CAS mailing list" <[email protected]>
Date: Thursday, January 22, 2009, 5:05 PM
We're looking at that for CAS 4 (in fact, its actually in the CAS4
source code) though CAS4 clearly isn't ready for production :-)
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <[email protected]
> wrote:
I haven't tried to implement displaying a message from the backend
authenticator to the user. Perhaps someone else can suggest
something?
I think that password expiry is also a policy that should be
handled by your backend identity system. CAS does not manage the
users identity today.
From: [email protected] [mailto:cas-
[email protected]] On Behalf Of hua lu
Sent: Friday, 23 January 2009 4:01 a.m.
To: Yale CAS mailing list
Subject: RE: can CAS handle 3-strike scenario?
Dale,
thanks for the helpful answer.
So say if we want to implement the 3 strike rule (the DB side to
handle the logic), and to display some specific message (this
message is independent from the regular "your password is
incorrect" one) when the user login incorrectly for more than three
times, is it easy to do in CAS? Have you or somebody have tried to
looked at this implementation? which part of the CAS code should I
tackle?
Actually we have one more scenario: the password will be expired
for every 3 month. Does CAS has any build-in mechanism to handle
it? If modification is needed, what necessary steps need to be
done? Any example?
regards,
Lu
--- On Wed, 1/21/09, Dale Ogilvie <[email protected]> wrote:
From: Dale Ogilvie <[email protected]>
Subject: RE: can CAS handle 3-strike scenario?
To: "Yale CAS mailing list" <[email protected]>
Date: Wednesday, January 21, 2009, 5:18 PM
Regarding point 2.
I believe CAS does not provide this lockout feature. It must be
implemented in the backend authentication system. This makes sense,
as any recovery from lockout would best be done at your backend
credential store. Any login attempt count and locked out flag
should be stored alongside your valid credentials.
Instead of lockout we use an increasing response delay every time a
user gets the password wrong. This makes brute force attacks
impractical, while still allowing someone who knows the password to
get in. This delay is enforced by the backend authenticator, not by
CAS.
Dale
From: [email protected] [mailto:cas-
[email protected]] On Behalf Of hua lu
Sent: Thursday, 22 January 2009 10:22 a.m.
To: [email protected]
Subject: can CAS handle 3-strike scenario?
Hi, all,
I am new to CAS. Here is my question:
1. We have a customized encoding java class to encode the password
(and this encrypted password is stored in database). Is there
anybody can provide a concrete example on how to make it happen in
configure this encoder?
2. Can CAS handle 3-strike rule? if a user logged in (with good
username, but wrong password) unsuccessfully for more than 3 times,
the user shall be displayed with a specific message saying that the
account is locked out. Is there any generally mechanism already
built in CAS to handle this scenario? What kind of code/
configuration change is needed?
Any help on the above topic is greatly appreciated!
LU
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
__________ NOD32 3793 (20090123) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
ist
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
