Skip to end of metadata
Go to start of metadata
Table of Contents

New CAS documentation site

Icon

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Starting with CAS 3.2.1, CAS has support for long term Ticket Granting Tickets, a feature referred to as "Remember Me".

Here are steps required to enable this feature for CAS 3.4.2 

Configuration

deployerConfigContext.xml

An AuthenticationMetaDataPopulator needs to be added to the AuthenticationManager. If you have no AuthenticationMetaDataPopulators configured, you would add the following property to the AuthenticationManager configured in the deployerConfigContext.xml:

login-webflow.xml

Locate "credentials" var, it should look something like this:

Change it to this:

Also locate the bean "viewLoginForm", it should look something like this:

Change it to something similar to this:

ticketExpirationPolicies.xml

The ticket expiration policy entitled "grantingTicketExpirationPolicy" would need to be changed to the RememberMeDelegatingExpirationPolicy.

You would have something similar to the following:

NOTE: if you use a different ticket registry that configures the ticket lifetime in the bean configuration (such as Memcache/Repcache), you will need to adjust the ticket lifetime in the bean configuration as well !

(optional) applicationContext.xml

The CentralAuthenticationServiceImpl now supports providing separate TicketRegistries, one for ServiceTickets and one for TicketGrantingTickets. If you want this allows you to define a long term ticket store for TicketGrantingTickets (i.e. BerkeleyDb) and an in-memory short term cache for Service Tickets.

Depending on your intended number of users and/or memory on the machine you may or may not need two registries.

Note: Be careful when defining a long term ticket store. Certain long term stores may not properly serialize/deserialize TicketGrantingTickets such that multiple instances of the same ticket may exist in memory at the same time (this would mostly be an issue with regards to ProxyGrantingTickets and their parent TicketGrantingTicket).

(optional) ticketGrantingTicketCookieGenerator.xml

Allows you to specify the "rememberMeMaxAge" property (default 3 months) as well as other properties for the cookie.

Note that this time is in seconds, unlike the values in ticketExpirationPolicies.xml above (see more in  "class CookieRetrievingCookieGenerator" in the source at cas-server-core/src/main/java/org/jasig/cas/web/support/CookieRetrievingCookieGenerator.java)

So, to set the rememberMeMaxAge on the TGT the same as your" Remember Me" policy, add the following attribute to your "ticketGrantingTicketCookieGenerator" bean:

     p:rememberMeMaxAge="xxxxxxx"         where xxxx in is seconds, eg. 604800 for 7 days.

Custom Implementations

For the most part, the Remember Me support built in requires no customizations. We provide one default Credentials class (the RememberMeUsernamePasswordCredentials) for processing username/password and remember me requests.

Users who require additional fields, may need to implement their own Credentials class. To get Remember Me support, developers should implement the RememberMeCredentials interface which provides a setRememberMe and isRememberMe methods.

Users may need to add one field to the login page. Something such as the following would need to be added to the casLoginView.jsp

Security Implications

User Security Implications

As with any long term "Remember Me" services, educating users about not choosing the option on a public computer (or a computer shared with others) is very important.

Server Security Implications

CAS uses opaque ticket identifiers in its Cookies. The length of the opaque identifier is chosen such that the probability of it being calculated/guessed is unlikely given the amount of time its valid for. As the length of the validity of the ticket increases, so must the length of the opaque identifier.

Notifying Applications of the "Remember Me" Feature being in Use.

When "Remember Me" is being used, an attribute is added to the Authentication object. This attribute is RememberMeCredentials#AUTHENTICATION_ATTRIBUTE_REMEMBER_ME with a value of Boolean.TRUE. You can use this in combination with the date the Authentication object was created to determine whether you should notify applications of the Remember Me option.