can CAS handle 3-strike scenario?

Dale Ogilvie Dale.Ogilvie at trimble.co.nz
Thu Jan 22 15:15:47 EST 2009 

I haven't tried to implement displaying a message from the backend
authenticator to the user. Perhaps someone else can suggest something?
 
I think that password expiry is also a policy that should be handled by
your backend identity system. CAS does not manage the users identity
today.

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of hua lu
Sent: Friday, 23 January 2009 4:01 a.m.
To: Yale CAS mailing list
Subject: RE: can CAS handle 3-strike scenario?


Dale,

thanks for the helpful answer.

So say if we want to implement the 3 strike rule (the DB side to handle
the logic), and to display some specific message (this message is
independent from the regular "your password is incorrect" one) when the
user login incorrectly for more than three times, is it easy to do in
CAS? Have you or somebody have tried to looked at this implementation?
which part of the CAS code should I tackle?

Actually we have one more scenario: the password will be expired for
every 3 month. Does CAS has any build-in mechanism to handle it? If
modification is needed, what necessary steps need to be done? Any
example?


regards,

Lu


--- On Wed, 1/21/09, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:


	From: Dale Ogilvie <Dale.Ogilvie at trimble.co.nz>
	Subject: RE: can CAS handle 3-strike scenario?
	To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
	Date: Wednesday, January 21, 2009, 5:18 PM
	
	
	Regarding point 2.
	 
	I believe CAS does not provide this lockout feature. It must be
implemented in the backend authentication system. This makes sense, as
any recovery from lockout would best be done at your backend credential
store. Any login attempt count and locked out flag should be stored
alongside your valid credentials.
	 
	Instead of lockout we use an increasing response delay every
time a user gets the password wrong. This makes brute force attacks
impractical, while still allowing someone who knows the password to get
in. This delay is enforced by the backend authenticator, not by CAS.
	 
	Dale 
	 
________________________________

	From: cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu] On Behalf Of hua lu
	Sent: Thursday, 22 January 2009 10:22 a.m.
	To: cas at tp.its.yale.edu
	Subject: can CAS handle 3-strike scenario?
	
	
Hi, all,

I am new to CAS. Here is my question:
1. We have a customized encoding java class to encode the password (and
this encrypted password is stored in database). Is there anybody can
provide a concrete example on how to make it happen in configure this
encoder?

2. Can CAS handle 3-strike rule? if a user logged in (with good
username, but wrong password) unsuccessfully for more than 3 times, the
user shall be displayed with a specific message saying that the account
is locked out. Is there any generally mechanism already built in CAS to
handle this scenario? What kind of code/configuration change is needed? 

Any help on the above topic is greatly appreciated!

LU
	

	_______________________________________________
	Yale CAS mailing list
	cas at tp.its.yale.edu
	http://tp.its.yale.edu/mailman/listinfo/cas


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090123/63eddc16/attachment.html

More information about the cas mailing list