> We could achieve the same level of convenience and utility for > testing/demoing purposes by leveraging the AcceptUsersAuthenticationHandler > and declaring test users in the bean config. At least if this one got > deployed into production one wouldn't be able to impersonate every single > user.
That's what I kind of had in mind as well, that we could also switch to a more complicated (maybe even a file-map based) handler with a set of more complex credentials such that if it got deployed to production for whatever reason, "admin/admin" wouldn't just simply work! :) One small note on the proposal I'd suggest is that it may be better to simply "hide" the handler in the codebase and not have it be publicly available for extension, rather than removing it all together. I am only saying this from a level of effort point of view, because the handler is also used and is useful for writing unit tests. Removing it requires taking a major sweep across the codebase. Having it be only internally accessible seems to me like less effort and yet achieves the same objective. -Misagh > -----Original Message----- > From: William G. Thompson, Jr. [mailto:[email protected]] > Sent: Thursday, April 04, 2013 4:56 PM > To: [email protected] > Subject: Re: [cas-dev] SimpleTestAuthNHandler: CAS-1271 & Pull 215 > > On Thu, Apr 4, 2013 at 4:04 PM, Dmitriy Kopylenko <[email protected]> > wrote: > > If the goal of CAS project becomes to prevent folks shooting > > themselves in the foot, I would just get rid of that authentication > > handler all together :-) > > It's not a terrible idea. > > We could achieve the same level of convenience and utility for > testing/demoing purposes by leveraging the AcceptUsersAuthenticationHandler > and declaring test users in the bean config. At least if this one got > deployed into production one wouldn't be able to impersonate every single > user. > > see: https://wiki.jasig.org/display/CASUM/Generic > > So here's an alternate proposal: > > * remove SimpleTestAuthenticationHandler altogether > * replace it with AcceptUsersAuthenticationHandler as the default > * add a single sample user in deployerConfigContext.xml > > Best, > Bill > > > > > > Cheers, > > Dmitriy. > > > > On Apr 4, 2013, at 3:53 PM, "William G. Thompson, Jr." <[email protected]> > wrote: > > > >> I don't think the warning is sufficient. From my perspective It is > >> *never* OK to have SimpleTestHandler code deployed to production. > >> There are no cases where I would be pleased (as a service owner) to > >> see the proposed warning show up in a production deployment. > >> > >> Having the build generate a separate cas-test.war seems like a > >> shorter path and more secure code way to satisfy both requirements. > >> > >> Best, > >> Bill > >> > >> > >> On Thu, Apr 4, 2013 at 2:46 PM, jleleu <[email protected]> wrote: > >>> I may be missing the point here, but what about a warning on login page > when using the simpletesthandler ? > >>> > >>> It seems to me that it takes the best of both worlds : no new cas- > test.war to create/maintain..., works out of the box thanks to the pre- > installed simpletesthandler and can't be forgotten in production because of > the warning ? > >>> > >>> Best, > >>> Jérôme > >>> > >>> -- > >>> You are currently subscribed to [email protected] as: > >>> [email protected] To unsubscribe, change settings or access archives, > >>> see http://www.ja-sig.org/wiki/display/JSG/cas-dev > >> > >> -- > >> You are currently subscribed to [email protected] as: > >> [email protected] To unsubscribe, change settings or access > >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev > >> > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access archives, > > see http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
