can CAS handle 3-strike scenario?

Fri Jan 23 10:23:57 EST 2009

Scott,

thanks for the info.

When do you think that CS4 will be ready? any possibility in the next month or two?

regards,

Lu

--- On Thu, 1/22/09, Scott Battaglia <scott.battaglia at gmail.com> wrote:
From: Scott Battaglia <scott.battaglia at gmail.com>
Subject: Re: can CAS handle 3-strike scenario?
To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
Date: Thursday, January 22, 2009, 5:05 PM

We're looking at that for CAS 4 (in fact, its actually in the CAS4 source code) though CAS4 clearly isn't ready for production :-)

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA

LinkedIn: http://www.linkedin.com/in/scottbattaglia

On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:

I haven't tried to implement displaying a message from the 
backend authenticator to the user. Perhaps someone else can suggest 
something?

I think that password expiry is also a policy that 
should be handled by your backend identity system. CAS does not manage the users 
identity today.

From: cas-bounces at tp.its.yale.edu 
[mailto:cas-bounces at tp.its.yale.edu] On Behalf Of hua lu
Sent: 
Friday, 23 January 2009 4:01 a.m.
To: Yale CAS mailing 
list
Subject: RE: can CAS handle 3-strike 
scenario?

    Dale,

thanks for the helpful answer.

So say 
      if we want to implement the 3 strike rule (the DB side to handle the 
      logic), and to display some specific message (this message is independent 
      from the regular "your password is incorrect" one) when the user login 
      incorrectly for more than three times, is it easy to do in CAS? Have you 
      or somebody have tried to looked at this implementation? which part of the 
      CAS code should I tackle?

Actually we have one more scenario: the 
      password will be expired for every 3 month. Does CAS has any build-in 
      mechanism to handle it? If modification is needed, what necessary steps 
      need to be done? Any example?

regards,

Lu

--- 
      On Wed, 1/21/09, Dale Ogilvie 
      <Dale.Ogilvie at trimble.co.nz> wrote:

      From: 
        Dale Ogilvie <Dale.Ogilvie at trimble.co.nz>
Subject: RE: can CAS 
        handle 3-strike scenario?
To: "Yale CAS mailing list" 
        <cas at tp.its.yale.edu>
Date: Wednesday, January 21, 2009, 5:18 
        PM

        Regarding point 2.

        I believe CAS does not provide this lockout 
        feature. It must be implemented in the backend authentication system. 
        This makes sense, as any recovery from lockout would best be 
        done at your backend credential store. Any login attempt count and 
        locked out flag should be stored alongside your valid 
        credentials.

        Instead of lockout we use an increasing response 
        delay every time a user gets the password wrong. 
        This makes brute force attacks impractical, while still allowing someone 
        who knows the password to get in. This delay is enforced by the backend 
        authenticator, not by CAS.

        Dale 

        From: 
        cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] On 
        Behalf Of hua lu
Sent: Thursday, 22 January 2009 10:22 
        a.m.
To: cas at tp.its.yale.edu
Subject: can CAS handle 
        3-strike scenario?

            Hi, all,

I am new to CAS. Here is my 
              question:
1. We have a customized encoding java class to encode 
              the password (and this encrypted password is stored in database). 
              Is there anybody can provide a concrete example on how to make it 
              happen in configure this encoder?

2. Can CAS handle 
              3-strike rule? if a user logged in (with good username, but wrong 
              password) unsuccessfully for more than 3 times, the user shall be 
              displayed with a specific message saying that the account is 
              locked out. Is there any generally mechanism already built in CAS 
              to handle this scenario? What kind of code/configuration change is 
              needed? 

Any help on the above topic is greatly 
              appreciated!

LU

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu

http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________

Yale CAS mailing list

cas at tp.its.yale.edu

http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090123/626ac64e/attachment.html 