Passwd in response

Andrew Petro apetro at unicon.net
Tue May 6 13:47:48 EDT 2008 

Anthony,

I've been thinking about this as well.  This feature requirement comes 
up more often than it's pleasant to admit.  Especially with uPortal 3 
shipping with CAS and the uPortal password caching and replay features 
built into the framework and used by even more available channels and 
portlets (email preview, briefcase, and now the open-sourced Toro 
portlets), I'm thinking this is a feature worth soberly, carefully, 
centrally, and aggressively optionally, off-by-default, including in the 
CAS server distribution as a mainstream feature.

Whether it's morally virtuous to use this feature can be left open for 
debate.

I worry that implementing this feature locally multiple times invites 
redundant effort and local adoption of less-ideal implementations of 
this feature than could be achieved centrally.  If one is going to be 
passing passwords around with CAS, one wants a solid, considered, secure 
implementation that passes the information securely and authenticates 
the the services before giving them the password and that doesn't break 
anything.  It seems a waste to invite people to locally trip over these 
issues for lack of a shared implementation of this feature.

Rutgers/Benn Oshrin have a thread going about where CAS can go next and 
what additional extension points/features would be welcome.  I'll look 
to engage that thread on this idea and invite you and other interested 
people to chime in.

Andrew



Anthony Colebourne wrote:
> Hi,
>
> At the JA-SIG conference last week I spoke to several people about
> Patches they were running that leaked the users password back to
> specially allowed CASified applications.
>
> I had several debates about the moral virtues of doing this and realize
> that no school wants take responsibility for releasing such a Patch.
>
> All things considered, I'm going to look into applying this patch
> locally. I'm convinced its our only hope of encouraging adoption.
>
> So, where might one begin when looking to re-write this evil (un)patch?
>
> Thanks,
> Anthony.
>

More information about the cas mailing list