On Mon, Jan 26, 2009 at 9:33 AM, hua lu <[email protected]> wrote: > Hi, all, > > I understand that CAS is a free open source project, and it is excellent in > doing the basic SSO business. It is easy to say than to implement some of > the advanced (or nearly impossible) features I have mentioned. It is not my > intention to ask Scott and his people to implement those features for ME. I > just want to know whether it is possible to do it, and whether some of the > already build-in features (CAS4) can be rolled out quickly. If that is the > case, certainly, it would be very helpful to those project with quite common > need such as 3-strike.
Its not a matter of whether CAS can support a 3-strike policy, etc. its often a matter of is that the best place for it. If Kerberos is your backend authentication system (for example), that would most likely mean that CAS is using Kerberos, maybe LDAP is using Kerberos, your local machines are using Kerberos, and your Unix time-shares are using Kerberos. Should 3-strike be implemented on each of those? Or should 3-strike be implemented from within Kerberos? We have some mechanisms within CAS for throttling what looks like bot requests (CAS4 will include the ability to use CAPTCHA) but that's different then the authentication system noticing that there seem to be a lot of bad password requests for this user. -Scott > > > Anyway, salute to the CAS people who makes people's life easy! > > Lu > > > --- On *Fri, 1/23/09, Scott Battaglia <[email protected]>* wrote: > > From: Scott Battaglia <[email protected]> > Subject: Re: can CAS handle 3-strike scenario? > To: [email protected], "Yale CAS mailing list" <[email protected]> > Date: Friday, January 23, 2009, 1:42 PM > > > At the moment all I'm saying is that we'll be supporting relaying messages > from backend systems (i.e. your password expired, account locked, etc.). > Integration with other systems to change passwords would be a complimentary > but probably separate system. > > That's just my 3 second thought on the matter. I can probably be convinced > otherwise :-) > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > On Fri, Jan 23, 2009 at 1:07 PM, Chris Roffler <[email protected]>wrote: > >> Sorry to jump in here .... >> >> Scott, are you saying that CAS4 will support back end change of password >> when back end reports expiration ( like LDAP) ? >> >> Chris >> >> >> >> ----- Original Message ----- >> *From:* Scott Battaglia <[email protected]> >> *To: *[email protected];Yale CAS mailing list <[email protected]> >> *Sent:* 1/23/2009 8:00:03 PM >> *Subject:* Re: can CAS handle 3-strike scenario? >> >> If I had to guess,I'd have to say closer to 3 months. >> >> Sent from my iPod >> >> On Jan 23, 2009, at 10:23 AM, hua lu <[email protected]> wrote: >> >> Scott, >> >> thanks for the info. >> >> When do you think that CS4 will be ready? any possibility in the next >> month or two? >> >> regards, >> >> Lu >> >> >> --- On *Thu, 1/22/09, Scott Battaglia <[email protected]>* wrote: >> >> From: Scott Battaglia <[email protected]> >> Subject: Re: can CAS handle 3-strike scenario? >> To: "Yale CAS mailing list" <[email protected]> >> Date: Thursday, January 22, 2009, 5:05 PM >> >> We're looking at that for CAS 4 (in fact, its actually in the CAS4 source >> code) though CAS4 clearly isn't ready for production :-) >> >> -Scott >> >> -Scott Battaglia >> PGP Public Key Id: 0x383733AA >> LinkedIn: <http://www.linkedin.com/in/scottbattaglia> >> http://www.linkedin.com/in/scottbattaglia >> >> >> On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <<[email protected]> >> [email protected]> wrote: >> >>> I haven't tried to implement displaying a message from the backend >>> authenticator to the user. Perhaps someone else can suggest something? >>> >>> I think that password expiry is also a policy that should be handled by >>> your backend identity system. CAS does not manage the users identity today. >>> >>> ------------------------------ >>> *From:* >>> <[email protected]>[email protected][mailto:<[email protected]> >>> [email protected]] *On Behalf Of *hua lu >>> *Sent:* Friday, 23 January 2009 4:01 a.m. >>> >>> *To:* Yale CAS mailing list >>> *Subject:* RE: can CAS handle 3-strike scenario? >>> >>> Dale, >>> >>> thanks for the helpful answer. >>> >>> So say if we want to implement the 3 strike rule (the DB side to handle >>> the logic), and to display some specific message (this message is >>> independent from the regular "your password is incorrect" one) when the user >>> login incorrectly for more than three times, is it easy to do in CAS? Have >>> you or somebody have tried to looked at this implementation? which part of >>> the CAS code should I tackle? >>> >>> Actually we have one more scenario: the password will be expired for >>> every 3 month. Does CAS has any build-in mechanism to handle it? If >>> modification is needed, what necessary steps need to be done? Any example? >>> >>> >>> regards, >>> >>> Lu >>> >>> >>> --- On *Wed, 1/21/09, Dale Ogilvie < <[email protected]> >>> [email protected]>* wrote: >>> >>> From: Dale Ogilvie < <[email protected]> >>> [email protected]> >>> Subject: RE: can CAS handle 3-strike scenario? >>> To: "Yale CAS mailing list" < <[email protected]>[email protected]> >>> Date: Wednesday, January 21, 2009, 5:18 PM >>> >>> Regarding point 2. >>> >>> I believe CAS does not provide this lockout feature. It must be >>> implemented in the backend authentication system. This makes sense, as >>> any recovery from lockout would best be done at your backend credential >>> store. Any login attempt count and locked out flag should be stored >>> alongside your valid credentials. >>> >>> Instead of lockout we use an increasing response delay every time a >>> user gets the password wrong. This makes brute force attacks impractical, >>> while still allowing someone who knows the password to get in. This >>> delay is enforced by the backend authenticator, not by CAS. >>> >>> Dale >>> >>> ------------------------------ >>> *From:* >>> <[email protected]>[email protected][mailto:<[email protected]> >>> [email protected]] *On Behalf Of *hua lu >>> *Sent:* Thursday, 22 January 2009 10:22 a.m. >>> *To:* <[email protected]>[email protected] >>> *Subject:* can CAS handle 3-strike scenario? >>> >>> Hi, all, >>> >>> I am new to CAS. Here is my question: >>> 1. We have a customized encoding java class to encode the password (and >>> this encrypted password is stored in database). Is there anybody can provide >>> a concrete example on how to make it happen in configure this encoder? >>> >>> 2. Can CAS handle 3-strike rule? if a user logged in (with good username, >>> but wrong password) unsuccessfully for more than 3 times, the user shall be >>> displayed with a specific message saying that the account is locked out. Is >>> there any generally mechanism already built in CAS to handle this scenario? >>> What kind of code/configuration change is needed? >>> >>> Any help on the above topic is greatly appreciated! >>> >>> LU >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> <[email protected]>[email protected] >>> >>> >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> <[email protected]>[email protected] >>> <http://tp.its.yale.edu/mailman/listinfo/cas> >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> >> __________ NOD32 3793 (20090123) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
