[cas-dev] Remember Me login

March, Andres amarch at soe.sony.com
Wed Dec 20 13:44:59 EST 2006 

Yeah, we are looking at a persistent cookie length of months.  We would like to limit the number of auths we are holding onto.  

> -----Original Message-----
> From: cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-
> bounces at tp.its.yale.edu] On Behalf Of Arnaud Lesueur
> Sent: Wednesday, December 20, 2006 10:39 AM
> To: Mailing list for CAS developers
> Subject: Re: [cas-dev] Remember Me login
> 
> What is the problem for you to set the grantingTicketExpirationPolicy to
> the max(user choice 1, user choice 2) ?
> 
> The only problem I see is related to memory usage. And after endurance
> tests with a cleaning policy of 20 hours, this
> was not a problem ...
> 
> We put this patch in production with :
> - a session cookie
> - a persistent cookie of 20 hours
> And a cleaninng policy of 20 hours.
> 
> But OK, the session is only 20 hours and not sereval days or weeks.
> 
> Arnaud Lesueur
> 
> Le Mer 20 décembre 2006 19:16, March, Andres a écrit :
> > That is great but I don't see how your patch would work without
> modifying the lifespan of the ticket in the registry.
> > Sure the cookie would live longer but the TGT would expire when the
> registry cleaner executed.
> >
> >
> >> -----Original Message-----
> >> From: cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-
> >> bounces at tp.its.yale.edu] On Behalf Of Arnaud Lesueur Sent: Wednesday,
> December 20, 2006 10:05 AM
> >> To: Mailing list for CAS developers
> >> Subject: Re: [cas-dev] Remember Me login
> >>
> >>
> >> Well I have already make an implementation for this use case.
> >>
> >>
> >> The main idea is to customize the SendTicketGrantingTicketAction
> depending
> >> on a user choice parameter on the login form.
> >>
> >> You may found my implementation here : http://www.ja-
> >> sig.org/issues/secure/attachment/10691/persistentCookie.zip have a look
> at my issue :
> >> http://www.ja-sig.org/issues/browse/CAS-366
> >>
> >>
> >> I still think is a good feature which should be added to CAS project
> ...
> >>
> >>
> >> Scott, if you agree I might adapt the code to 3.1 and commit it.
> >>
> >>
> >>
> >> Arnaud Lesueur
> >>
> >>
> >>
> >> Le Mer 20 décembre 2006 18:47, March, Andres a écrit :
> >>
> >>> I see what you mean but the concrete instantiation is still the issue,
> >>>
> >> IMHO.  A factory pattern would allow me to
> >>
> >>> control the creation of the Ticket and set whichever expiration policy
> I
> >> wanted.  There is only one expirationPolicy
> >>> possible in the CASImpl as you are aware.  Also, I need some way to
> pass
> >> the user's choice of whether to do a short
> >>> or long expiration to the place where the policy is set.  I don't know
> >> the best way to do this yet.  If you have any
> >>> ideas, I would be happy to implement it and contribute it back.
> Thanks
> >> for the reply.
> >>>
> >>>
> >>>
> >>> ________________________________
> >>>
> >>>
> >>>
> >>> From: cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-
> >>>
> >> bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
> >>> Sent: Wednesday, December 20, 2006 6:19 AM
> >>> To: Mailing list for CAS developers
> >>> Subject: Re: [cas-dev] Remember Me login
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> I haven't had time to think about it fully yet, but we may need to
> >>>
> >> modify the CAS server to support this (choosing on
> >>> of many expiration policies was not in the original design.
> >>>
> >>> You won't need a custom TicketGrantingTIcketImpl though, just a
> >>>
> >> different expiration policy (one with a longer
> >>> length).
> >>>
> >>> -Scott
> >>>
> >>>
> >>>
> >>> On 12/12/06, March, Andres <amarch at soe.sony.com> wrote:
> >>>
> >>>
> >>>
> >>> I'm implementing a Remember Me (Save Password) feature and want to
> make
> >>>
> >> the cookie have a variable lifespan: browser
> >>> session if they don't choose "Remember Me" or 3 months if they do.
> >> However, my plan to substitute my own
> >>
> >>> implementation for TicketGrantingTicketImpl is not possible because it
> >> is currently instantiated in a concrete
> >>> fashion in the CentralAuthenticationServiceImpl rather than using a
> >> factory.  Any ideas?
> >>>
> >>>
> >>>
> >>> ________________________________
> >>>
> >>>
> >>>
> >>> From: cas-dev-bounces at tp.its.yale.edu [mailto: cas-dev-
> >>>
> >> bounces at tp.its.yale.edu
> >>> <mailto:cas-dev-bounces at tp.its.yale.edu> ] On Behalf Of Scott
> Battaglia
> >>> Sent: Friday, November 17, 2006 10:59 AM
> >>> To: Mailing list for CAS developers
> >>> Subject: Re: [cas-dev] Remember Me login
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Well TicketGrantingTickets themselves have a life-expectancy of
> whatever
> >>>
> >> time you decide.  It can be short or long.
> >>> The key is making sure the cookie expiration time matches up with the
> >>>
> >> TicketGrantingTicket expiration time.
> >>
> >>>
> >>>
> >>> Cookies only store the TicketGrantingTicket identifier.
> >>>
> >>>
> >>>
> >>> -Scott
> >>>
> >>>
> >>>
> >>> On 11/17/06, Alan D. Cabrera < alan.cabrera at simulalabs.com
> >>>
> >> <mailto:alan.cabrera at simulalabs.com> > wrote:
> >>
> >>>
> >>>
> >>> Does anyone have any thoughts on my comments?  Arnaud?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>>
> >>>
> >>> Alan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Nov 15, 2006, at 12:13 PM, Alan D. Cabrera wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Do I understand the code correctly when I say that you store the
> ticket
> >>>
> >> in a cookie?  IIUC, won't the ticket expire
> >>> after a short while?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>>
> >>>
> >>> Alan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Nov 15, 2006, at 10:15 AM, Arnaud Lesueur wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Hi,
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> I have already open an issue in JIRA few months ago on this request
> and
> >>>
> >> I also put my code as attachement. This
> >>
> >>>
> >>>
> >>> available here : http://www.ja-sig.org/issues/browse/CAS-366
> >>>
> >>>
> >>>
> >>> If you think, this feature is usefull please vote for it !
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Arnaud Lesueur
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Le Mer 15 novembre 2006 18:47, Jack Tang a écrit :
> >>>
> >>>
> >>>
> >>> Hi Alan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Can you share the code with me? I am now hacking the some problem.
> >>>
> >>>
> >>>
> >>> Thank you very much.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> /Jack
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 11/10/06, Alan D. Cabrera < alan.cabrera at simulalabs.com
> >>>
> >> <mailto:alan.cabrera at simulalabs.com> > wrote:
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Nov 9, 2006, at 8:10 AM, Peter Havelaar wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Alan D. Cabrera <alan.cabrera at ...> writes:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> We also wish to support "remember me".   What we plan on doing is
> >>>
> >>>
> >>>
> >>> hacking the
> >>>
> >>> CASFilter so that we store an encrypted token in a cookie.  Its
> >>>
> >>>
> >>>
> >>> format will be:
> >>>
> >>>
> >>>
> >>> userid:expiration:salt
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> If the CASFilter sees this cookie, it will refresh the session
> >>>
> >>>
> >>>
> >>> variables.
> >>>
> >>>
> >>>
> >>> We also intend to modify the CAS login code to include
> >>>
> >>>
> >>>
> >>> cas.remember URL
> >>>
> >>> parameter which would instruct the filter to construct the token.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> That is great!
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> When are these changes scheduled to be performed?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Well, we're making these changes internally this week.   I am happy to
> >>>
> >>>
> >>>
> >>> submit the code back to the community.  Can anyone on the team
> comment?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>>
> >>>
> >>> Alan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Alan D. Cabrera
> >>>
> >>>
> >>>
> >>> VP Engineering
> >>>
> >>>
> >>>
> >>> Simula Labs - The Open Source Venture Partners
> >>>
> >>>
> >>>
> >>> p: +1 510 225 5588 f: +1 800 822 0471
> >>>
> >>>
> >>>
> >>> alan at simulalabs.com www.simulalabs.com
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>>
> >>>
> >>>
> >>> cas-dev mailing list cas-dev at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>>
> >>>
> >>>
> >>> cas-dev mailing list
> >>>
> >>> cas-dev at tp.its.yale.edu
> >>>
> >>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Alan D. Cabrera
> >>>
> >>>
> >>>
> >>> VP Engineering
> >>>
> >>>
> >>>
> >>> Simula Labs - The Open Source Venture Partners
> >>>
> >>>
> >>>
> >>> p: +1 510 225 5588 f: +1 800 822 0471
> >>>
> >>>
> >>>
> >>> alan at simulalabs.com
> >>>
> >>> www.simulalabs.com
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>>
> >>>
> >>>
> >>> cas-dev mailing list
> >>>
> >>> cas-dev at tp.its.yale.edu
> >>>
> >>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Alan D. Cabrera
> >>>
> >>>
> >>>
> >>> VP Engineering
> >>>
> >>>
> >>>
> >>> Simula Labs - The Open Source Venture Partners
> >>>
> >>>
> >>>
> >>> p: +1 510 225 5588 f: +1 800 822 0471
> >>>
> >>>
> >>>
> >>> alan at simulalabs.com
> >>>
> >>> www.simulalabs.com
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cas-dev mailing list cas-dev at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cas-dev mailing list cas-dev at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cas-dev mailing list cas-dev at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >>>
> >>>
> >>
> >>
> >> _______________________________________________
> >> cas-dev mailing list cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >>
> >
> > _______________________________________________
> > cas-dev mailing list cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> >
> >
> 
> 
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev

More information about the cas-dev mailing list