Remember Me

Added by Scott Battaglia, last edited by Johan Reinalda on Feb 22, 2010  (view change)
Table of Contents
Home
Overall Architecture
Authentication
Authentication Managers
Security Policy
TicketRegistry
Testing
Protocols
Advanced Features
Tutorials and HOWTOs
Troubleshooting
Services Management
Extensions

Starting with CAS 3.2.1, CAS has support for long term Ticket Granting Tickets, a feature referred to as "Remember Me."

Configuration

deployerConfigContext.xml

An AuthenticationMetaDataPopulator needs to be added to the AuthenticationManager. If you have no AuthenticationMetaDataPopulators configured, you would add the following property to the AuthenticationManager configured in the deployerConfigContext.xml:

<property name="authenticationMetaDataPopulators">
      <list>
         <bean class="org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
      </list>
</property>

cas-servlet.xml

Locate the bean "authenticationViaForm", it should look something like this:

<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
	p:centralAuthenticationService-ref="centralAuthenticationService"
	p:warnCookieGenerator-ref="warnCookieGenerator" />

Change it to something similar to this:

<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
	p:centralAuthenticationService-ref="centralAuthenticationService"
	p:formObjectClass="org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials"
	p:formObjectName="credentials"
        p:validator-ref="UsernamePasswordCredentialsValidator"
	p:warnCookieGenerator-ref="warnCookieGenerator" />

And add the "UsernamePasswordCredentialsValidator" bean:

<bean id="UsernamePasswordCredentialsValidator" class="org.jasig.cas.validation.UsernamePasswordCredentialsValidator" />

ticketExpirationPolicies.xml

The ticket expiration policy entitled "grantingTicketExpirationPolicy" would need to be changed to the RememberMeDelegatingExpirationPolicy.

You would have something similar to the following:

<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy">
   <property name="sessionExpirationPolicy">
	<bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
           <constructor-arg index="0" value="XXXXXXXX" />
	</bean>
   </property>
   <property name="rememberMeExpirationPolicy">
	<bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
           <constructor-arg index="0" value="XXXXXXXX" />
	</bean>
   </property>
</bean>

NOTE: if you use a different ticket registry that configures the ticket lifetime in the bean configuration (such as Memcache/Repcache), you will need to adjust the ticket lifetime in the bean configuration as well !

(optional) applicationContext.xml

The CentralAuthenticationServiceImpl now supports providing separate TicketRegisties, one for ServiceTickets and one for TicketGrantingTickets. If you want this allows you to define a long term ticket store for TicketGrantingTickets (i.e. BerkeleyDb) and an in-memory short term cache for Service Tickets.

Depending on your intended number of users and/or memory on the machine you may or may not need to registries.

Note: Be careful when defining a long term ticket store. Certain long term stores may not properly serialize/deserialize TicketGrantingTickets such that multiple instances of the same ticket may exist in memory at the same time (this would mostly be an issue with regards to ProxyGrantingTickets and their parent TicketGrantingTicket).

(optional) ticketGrantingTicketCookieGenerator.xml

Allows you to specify the "rememberMeMaxAge" property (default 3 months) as well as other properties for the cookie.

Note that this time is in seconds, unlike the values in ticketExpirationPolicies.xml above (see more in  "class CookieRetrievingCookieGenerator" in the source at cas-server-core/src/main/java/org/jasig/cas/web/support/CookieRetrievingCookieGenerator.java)

So, to set the rememberMeMaxAge on the TGT the same as your" Remember Me" policy, add the following attribute to your "ticketGrantingTicketCookieGenerator" bean:

     p:rememberMeMaxAge="xxxxxxx"         where xxxx in is seconds, eg. 604800 for 7 days.

Custom Implementations

For the most part, the Remember Me support built in requires no customizations. We provide one default Credentials class (the RememberMeUsernamePasswordCredentials) for processing username/password and remember me requests.

Users who require additional fields, may need to implement their own Credentials class. To get Remember Me support, developers should implement the RememberMeCredentials interface which provides a setRememberMe and isRememberMe methods.

Users may need to add one field to the login page. Something such as the following would need to be added to the casLoginView.jsp

<input type="checkbox" name="rememberMe" id="rememberMe" value="true" /> <label for="rememberMe">Remember Me</label>

Security Implications

User Security Implications

As with any long term "Remember Me" services, educating users about not choosing the option on a public computer (or a computer shared with others) is very important.

Server Security Implications

CAS uses opaque ticket identifiers in its Cookies. The length of the opaque identifier is chosen such that the probability of it being calculated/guessed is unlikely given the amount of time its valid for. As the length of the validity of the ticket increases, so must the length of the opaque identifier.

Notifying Applications of the "Remember Me" Feature being in Use.

When "Remember Me" is being used, an attribute is added to the Authentication object. This attribute is RememberMeCredentials#AUTHENTICATION_ATTRIBUTE_REMEMBER_ME with a value of Boolean.TRUE. You can use this in combination with the date the Authentication object was created to determine whether you should notify applications of the Remember Me option.
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.