can CAS handle 3-strike scenario?

hua lu sirhualu at yahoo.com
Thu Jan 22 10:00:32 EST 2009 

Dale,

thanks for the helpful answer.

So say if we want to implement the 3 strike rule (the DB side to handle the logic), and to display some specific message (this message is independent from the regular "your password is incorrect" one) when the user login incorrectly for more than three times, is it easy to do in CAS? Have you or somebody have tried to looked at this implementation? which part of the CAS code should I tackle?

Actually we have one more scenario: the password will be expired for every 3 month. Does CAS has any build-in mechanism to handle it? If modification is needed, what necessary steps need to be done? Any example?


regards,

Lu


--- On Wed, 1/21/09, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:
From: Dale Ogilvie <Dale.Ogilvie at trimble.co.nz>
Subject: RE: can CAS handle 3-strike scenario?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Date: Wednesday, January 21, 2009, 5:18 PM



 
Regarding point 2.
 
I believe CAS does not provide this lockout feature. 
It must be implemented in the backend authentication system. This makes sense, 
as any recovery from lockout would best be done at your backend credential 
store. Any login attempt count and locked out flag should be stored 
alongside your valid credentials.
 
Instead of 
lockout we use an increasing response delay every time a 
user gets the password wrong. This makes brute force attacks 
impractical, while still allowing someone who knows the password to get 
in. This delay is enforced by the 
backend authenticator, not by CAS.
 
Dale 
 



From: 
cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] On Behalf Of 
hua lu
Sent: Thursday, 22 January 2009 10:22 a.m.
To: 
cas at tp.its.yale.edu
Subject: can CAS handle 3-strike 
scenario?




  
  
    Hi, all,

I am new to CAS. Here is my question:
1. 
      We have a customized encoding java class to encode the password (and this 
      encrypted password is stored in database). Is there anybody can provide a 
      concrete example on how to make it happen in configure this 
      encoder?

2. Can CAS handle 3-strike rule? if a user logged in (with 
      good username, but wrong password) unsuccessfully for more than 3 times, 
      the user shall be displayed with a specific message saying that the 
      account is locked out. Is there any generally mechanism already built in 
      CAS to handle this scenario? What kind of code/configuration change is 
      needed? 

Any help on the above topic is greatly 
      appreciated!

LU

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090122/0cb9c182/attachment.html

More information about the cas mailing list