password remembering in casLoginView.jsp
Scott Battaglia
scott.battaglia at gmail.com
Tue Mar 11 15:08:13 EDT 2008
The CAS project has not introduced or un-introduced any feature related to
autocomplete within the CAS project. Autocomplete is a browser-specific
feature. What you are talking about are example JSP pages that are used for
part of the demo WAR and potentially as a basis for local customizations
that is lacking an attribute that hints to the browser not to use
autocomplete on a particular field.
You are, however, correct that as an example of "best practices" the JSP
page should utilize the autocomplete feature (the move to the Spring Form
tags accidentally removed that). I've opened a JIRA issue and added the
attributes.
We encourage all deployers to look to the sample JSP pages as a good example
of what they will need, but they should always evaluate their local needs
and security concerns before deploying a production instance of CAS.
-Scott
On Tue, Mar 11, 2008 at 9:14 AM, jehan procaccia <
jehan.procaccia at int-evry.fr> wrote:
> hello
>
> since I upgraded to cas 3.1.2, I noticed that by default users can now
> "remember" typed password :-( !
> I removed that "feature" by setting autocomplete="off" in the
> corresponding jsp:
>
> [root at cas1
> ~/cas-toolbox-3.1.2-1/custom.tmsp1/webpages/WEB-INF/view/jsp/tmsp1Vues/ui]
> $ grep "autocomplete=\"off\"" casLoginView.jsp
> <form:password cssClass="required" cssErrorClass="error" id="password"
> size="25" tabindex="2" path="password"
> accesskey="${passwordAccessKey}" autocomplete="off" htmlEscape="true" />
>
> Is there a reason why this remembering feature had been reintroduced ?
> Older realeases didn't allowed that by default.
> It seems to me as beeing a security issue !?
>
> Thanks.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080311/363a30cb/attachment.html
More information about the cas
mailing list