Scott, thanks for the info.
When do you think that CS4 will be ready? any possibility in the next month or two? regards, Lu --- On Thu, 1/22/09, Scott Battaglia <scott.battag...@gmail.com> wrote: From: Scott Battaglia <scott.battag...@gmail.com> Subject: Re: can CAS handle 3-strike scenario? To: "Yale CAS mailing list" <cas@tp.its.yale.edu> Date: Thursday, January 22, 2009, 5:05 PM We're looking at that for CAS 4 (in fact, its actually in the CAS4 source code) though CAS4 clearly isn't ready for production :-) -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <dale.ogil...@trimble.co.nz> wrote: I haven't tried to implement displaying a message from the backend authenticator to the user. Perhaps someone else can suggest something? I think that password expiry is also a policy that should be handled by your backend identity system. CAS does not manage the users identity today. From: cas-boun...@tp.its.yale.edu [mailto:cas-boun...@tp.its.yale.edu] On Behalf Of hua lu Sent: Friday, 23 January 2009 4:01 a.m. To: Yale CAS mailing list Subject: RE: can CAS handle 3-strike scenario? Dale, thanks for the helpful answer. So say if we want to implement the 3 strike rule (the DB side to handle the logic), and to display some specific message (this message is independent from the regular "your password is incorrect" one) when the user login incorrectly for more than three times, is it easy to do in CAS? Have you or somebody have tried to looked at this implementation? which part of the CAS code should I tackle? Actually we have one more scenario: the password will be expired for every 3 month. Does CAS has any build-in mechanism to handle it? If modification is needed, what necessary steps need to be done? Any example? regards, Lu --- On Wed, 1/21/09, Dale Ogilvie <dale.ogil...@trimble.co.nz> wrote: From: Dale Ogilvie <dale.ogil...@trimble.co.nz> Subject: RE: can CAS handle 3-strike scenario? To: "Yale CAS mailing list" <cas@tp.its.yale.edu> Date: Wednesday, January 21, 2009, 5:18 PM Regarding point 2. I believe CAS does not provide this lockout feature. It must be implemented in the backend authentication system. This makes sense, as any recovery from lockout would best be done at your backend credential store. Any login attempt count and locked out flag should be stored alongside your valid credentials. Instead of lockout we use an increasing response delay every time a user gets the password wrong. This makes brute force attacks impractical, while still allowing someone who knows the password to get in. This delay is enforced by the backend authenticator, not by CAS. Dale From: cas-boun...@tp.its.yale.edu [mailto:cas-boun...@tp.its.yale.edu] On Behalf Of hua lu Sent: Thursday, 22 January 2009 10:22 a.m. To: cas@tp.its.yale.edu Subject: can CAS handle 3-strike scenario? Hi, all, I am new to CAS. Here is my question: 1. We have a customized encoding java class to encode the password (and this encrypted password is stored in database). Is there anybody can provide a concrete example on how to make it happen in configure this encoder? 2. Can CAS handle 3-strike rule? if a user logged in (with good username, but wrong password) unsuccessfully for more than 3 times, the user shall be displayed with a specific message saying that the account is locked out. Is there any generally mechanism already built in CAS to handle this scenario? What kind of code/configuration change is needed? Any help on the above topic is greatly appreciated! LU _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
