can CAS handle 3-strike scenario?

Benn Oshrin benjamin.oshrin at rutgers.edu
Sat Jan 24 12:06:49 EST 2009 

It can be a bit more complex, if different apps have different  
definitions of expired. At columbia, we returned the password change  
URL to the app and let it redirect the user if it wanted.

-Benn-

On Jan 23, 2009, at 3:14 PM, Scott Battaglia  
<scott.battaglia at gmail.com> wrote:

> Changing one's password is something that happens independent of  
> your single sign on session.  It can happen because you've noticed  
> an expired password or it can happen because someone decided to  
> change their password.
>
> In the former case, all CAS can do is redirect you to the  
> appropriate application within your institution.
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Fri, Jan 23, 2009 at 3:02 PM, Chris Roffler  
> <croffler at earthlink.net> wrote:
> Scott,
>
> This issue has been on the plate for a long time ( perhaps you  
> embmer me harping on this some time back :)
>
> What's it going to take to convince you ? :-)
>
> Chris
>
> ----- Original Message -----
> From: Scott Battaglia
> To: croffler at earthlink.net;Yale CAS mailing list
> Sent: 1/23/2009 8:42:29 PM
> Subject: Re: can CAS handle 3-strike scenario?
>
> At the moment all I'm saying is that we'll be supporting relaying  
> messages from backend systems (i.e. your password expired, account  
> locked, etc.).  Integration with other systems to change passwords  
> would be a complimentary but probably separate system.
>
> That's just my 3 second thought on the matter.  I can probably be  
> convinced otherwise :-)
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Fri, Jan 23, 2009 at 1:07 PM, Chris Roffler  
> <croffler at earthlink.net> wrote:
> Sorry to jump in here ....
>
> Scott, are you saying that CAS4 will support back end change of  
> password when back end reports expiration ( like LDAP) ?
>
> Chris
>
>
> ----- Original Message -----
> From: Scott Battaglia
> To: sirhualu at yahoo.com;Yale CAS mailing list
> Sent: 1/23/2009 8:00:03 PM
> Subject: Re: can CAS handle 3-strike scenario?
>
> If I had to guess,I'd have to say closer to 3 months.
>
> Sent from my iPod
>
> On Jan 23, 2009, at 10:23 AM, hua lu <sirhualu at yahoo.com> wrote:
>
>> Scott,
>>
>> thanks for the info.
>>
>> When do you think that CS4 will be ready? any possibility in the  
>> next month or two?
>>
>> regards,
>>
>> Lu
>>
>>
>> --- On Thu, 1/22/09, Scott Battaglia <scott.battaglia at gmail.com>  
>> wrote:
>> From: Scott Battaglia <scott.battaglia at gmail.com>
>> Subject: Re: can CAS handle 3-strike scenario?
>> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
>> Date: Thursday, January 22, 2009, 5:05 PM
>>
>> We're looking at that for CAS 4 (in fact, its actually in the CAS4  
>> source code) though CAS4 clearly isn't ready for production :-)
>>
>> -Scott
>>
>> -Scott Battaglia
>> PGP Public Key Id: 0x383733AA
>> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>>
>>
>> On Thu, Jan 22, 2009 at 3:15 PM, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz 
>> > wrote:
>> I haven't tried to implement displaying a message from the backend  
>> authenticator to the user. Perhaps someone else can suggest  
>> something?
>>
>> I think that password expiry is also a policy that should be  
>> handled by your backend identity system. CAS does not manage the  
>> users identity today.
>>
>> From: cas-bounces at tp.its.yale.edu [mailto:cas- 
>> bounces at tp.its.yale.edu] On Behalf Of hua lu
>> Sent: Friday, 23 January 2009 4:01 a.m.
>>
>> To: Yale CAS mailing list
>> Subject: RE: can CAS handle 3-strike scenario?
>>
>> Dale,
>>
>> thanks for the helpful answer.
>>
>> So say if we want to implement the 3 strike rule (the DB side to  
>> handle the logic), and to display some specific message (this  
>> message is independent from the regular "your password is  
>> incorrect" one) when the user login incorrectly for more than three  
>> times, is it easy to do in CAS? Have you or somebody have tried to  
>> looked at this implementation? which part of the CAS code should I  
>> tackle?
>>
>> Actually we have one more scenario: the password will be expired  
>> for every 3 month. Does CAS has any build-in mechanism to handle  
>> it? If modification is needed, what necessary steps need to be  
>> done? Any example?
>>
>>
>> regards,
>>
>> Lu
>>
>>
>> --- On Wed, 1/21/09, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:
>> From: Dale Ogilvie <Dale.Ogilvie at trimble.co.nz>
>> Subject: RE: can CAS handle 3-strike scenario?
>> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
>> Date: Wednesday, January 21, 2009, 5:18 PM
>>
>> Regarding point 2.
>>
>> I believe CAS does not provide this lockout feature. It must be  
>> implemented in the backend authentication system. This makes sense,  
>> as any recovery from lockout would best be done at your backend  
>> credential store. Any login attempt count and locked out flag  
>> should be stored alongside your valid credentials.
>>
>> Instead of lockout we use an increasing response delay every time a  
>> user gets the password wrong. This makes brute force attacks  
>> impractical, while still allowing someone who knows the password to  
>> get in. This delay is enforced by the backend authenticator, not by  
>> CAS.
>>
>> Dale
>>
>> From: cas-bounces at tp.its.yale.edu [mailto:cas- 
>> bounces at tp.its.yale.edu] On Behalf Of hua lu
>> Sent: Thursday, 22 January 2009 10:22 a.m.
>> To: cas at tp.its.yale.edu
>> Subject: can CAS handle 3-strike scenario?
>>
>> Hi, all,
>>
>> I am new to CAS. Here is my question:
>> 1. We have a customized encoding java class to encode the password  
>> (and this encrypted password is stored in database). Is there  
>> anybody can provide a concrete example on how to make it happen in  
>> configure this encoder?
>>
>> 2. Can CAS handle 3-strike rule? if a user logged in (with good  
>> username, but wrong password) unsuccessfully for more than 3 times,  
>> the user shall be displayed with a specific message saying that the  
>> account is locked out. Is there any generally mechanism already  
>> built in CAS to handle this scenario? What kind of code/ 
>> configuration change is needed?
>>
>> Any help on the above topic is greatly appreciated!
>>
>> LU
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>>
>>
>>
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> __________ NOD32 3793 (20090123) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ist
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090124/2baaeb8a/attachment.html

More information about the cas mailing list