can CAS handle 3-strike scenario?

Scott Battaglia scott.battaglia at gmail.com
Fri Jan 23 12:58:15 EST 2009 

If I had to guess,I'd have to say closer to 3 months.

Sent from my iPod

On Jan 23, 2009, at 10:23 AM, hua lu <sirhualu at yahoo.com> wrote:

> Scott,
>
> thanks for the info.
>
> When do you think that CS4 will be ready? any possibility in the  
> next month or two?
>
> regards,
>
> Lu
>
>
> --- On Thu, 1/22/09, Scott Battaglia <scott.battaglia at gmail.com>  
> wrote:
> From: Scott Battaglia <scott.battaglia at gmail.com>
> Subject: Re: can CAS handle 3-strike scenario?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Date: Thursday, January 22, 2009, 5:05 PM
>
> We're looking at that for CAS 4 (in fact, its actually in the CAS4  
> source code) though CAS4 clearly isn't ready for production :-)
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz 
> > wrote:
> I haven't tried to implement displaying a message from the backend  
> authenticator to the user. Perhaps someone else can suggest something?
>
> I think that password expiry is also a policy that should be handled  
> by your backend identity system. CAS does not manage the users  
> identity today.
>
> From: cas-bounces at tp.its.yale.edu [mailto:cas- 
> bounces at tp.its.yale.edu] On Behalf Of hua lu
> Sent: Friday, 23 January 2009 4:01 a.m.
>
> To: Yale CAS mailing list
> Subject: RE: can CAS handle 3-strike scenario?
>
> Dale,
>
> thanks for the helpful answer.
>
> So say if we want to implement the 3 strike rule (the DB side to  
> handle the logic), and to display some specific message (this  
> message is independent from the regular "your password is incorrect"  
> one) when the user login incorrectly for more than three times, is  
> it easy to do in CAS? Have you or somebody have tried to looked at  
> this implementation? which part of the CAS code should I tackle?
>
> Actually we have one more scenario: the password will be expired for  
> every 3 month. Does CAS has any build-in mechanism to handle it? If  
> modification is needed, what necessary steps need to be done? Any  
> example?
>
>
> regards,
>
> Lu
>
>
> --- On Wed, 1/21/09, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:
> From: Dale Ogilvie <Dale.Ogilvie at trimble.co.nz>
> Subject: RE: can CAS handle 3-strike scenario?
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Date: Wednesday, January 21, 2009, 5:18 PM
>
> Regarding point 2.
>
> I believe CAS does not provide this lockout feature. It must be  
> implemented in the backend authentication system. This makes sense,  
> as any recovery from lockout would best be done at your backend  
> credential store. Any login attempt count and locked out flag should  
> be stored alongside your valid credentials.
>
> Instead of lockout we use an increasing response delay every time a  
> user gets the password wrong. This makes brute force attacks  
> impractical, while still allowing someone who knows the password to  
> get in. This delay is enforced by the backend authenticator, not by  
> CAS.
>
> Dale
>
> From: cas-bounces at tp.its.yale.edu [mailto:cas- 
> bounces at tp.its.yale.edu] On Behalf Of hua lu
> Sent: Thursday, 22 January 2009 10:22 a.m.
> To: cas at tp.its.yale.edu
> Subject: can CAS handle 3-strike scenario?
>
> Hi, all,
>
> I am new to CAS. Here is my question:
> 1. We have a customized encoding java class to encode the password  
> (and this encrypted password is stored in database).                 
> Is there anybody can provide a concrete example on how to make it  
> happen in configure this encoder?
>
> 2. Can CAS handle 3-strike rule? if a user logged in (with good  
> username, but wrong password) unsuccessfully for more than 3 times,  
> the user shall be displayed with a specific message saying that the  
> account is locked out. Is there any generally mechanism already  
> built in CAS to handle this scenario? What kind of code/ 
> configuration change is needed?
>
> Any help on the above topic is greatly appreciated!
>
> LU
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090123/690683a2/attachment.html

More information about the cas mailing list