diff --git a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
index b35199c5828..92f7c6e517e 100644
--- a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
@@ -56,6 +56,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
     //~ Static fields/initializers =====================================================================================
 
     private static final Log logger = LogFactory.getLog(CasAuthenticationProvider.class);
+    public static final String DEFAULT_REMEMBERME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed";
 
     //~ Instance fields ================================================================================================
 
@@ -68,6 +69,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
     private TicketValidator ticketValidator;
     private ServiceProperties serviceProperties;
     private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
+    private String rememberMeAttributeName = DEFAULT_REMEMBERME_ATTRIBUTE_NAME;
 
 
     //~ Methods ========================================================================================================
@@ -141,7 +143,7 @@ private CasAuthenticationToken authenticateNow(final Authentication authenticati
             final UserDetails userDetails = loadUserByAssertion(assertion);
             userDetailsChecker.check(userDetails);
             return new CasAuthenticationToken(this.key, userDetails, authentication.getCredentials(),
-                    authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion);
+                    authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion, rememberMeAttributeName);
         } catch (final TicketValidationException e) {
             throw new BadCredentialsException(e.getMessage(), e);
         }
@@ -234,6 +236,14 @@ public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
         this.authoritiesMapper = authoritiesMapper;
     }
 
+    public String getRememberMeAttributeName() {
+        return rememberMeAttributeName;
+    }
+
+    public void setRememberMeAttributeName(String rememberMeAttributeName) {
+        this.rememberMeAttributeName = rememberMeAttributeName;
+    }
+
     public boolean supports(final Class<?> authentication) {
         return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)) ||
            (CasAuthenticationToken.class.isAssignableFrom(authentication)) ||
diff --git a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
index ffa78978096..ee0c972e90b 100644
--- a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java
@@ -20,6 +20,7 @@
 
 import org.jasig.cas.client.validation.Assertion;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.RememberMeAware;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -30,7 +31,7 @@
  * @author Ben Alex
  * @author Scott Battaglia
  */
-public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
+public class CasAuthenticationToken extends AbstractAuthenticationToken implements Serializable, RememberMeAware {
 
     private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
@@ -40,6 +41,7 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
     private final UserDetails userDetails;
     private final int keyHash;
     private final Assertion assertion;
+    private final boolean rememberMe;
 
     //~ Constructors ===================================================================================================
 
@@ -57,15 +59,18 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
      *        org.springframework.security.core.userdetails.UserDetailsService}) (cannot be <code>null</code>)
      * @param assertion the assertion returned from the CAS servers.  It contains the principal and how to obtain a
      *        proxy ticket for the user.
+     * @param rememberMeAttributeName the CAS remember-me attribute name
      *
      * @throws IllegalArgumentException if a <code>null</code> was passed
      */
     public CasAuthenticationToken(final String key, final Object principal, final Object credentials,
-        final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion) {
+        final Collection<? extends GrantedAuthority> authorities, final UserDetails userDetails, final Assertion assertion,
+        String rememberMeAttributeName) {
         super(authorities);
 
         if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal) || (credentials == null)
-            || "".equals(credentials) || (authorities == null) || (userDetails == null) || (assertion == null)) {
+            || "".equals(credentials) || (authorities == null) || (userDetails == null) || (assertion == null) ||
+            (rememberMeAttributeName == null)) {
             throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
         }
 
@@ -74,6 +79,8 @@ public CasAuthenticationToken(final String key, final Object principal, final Ob
         this.credentials = credentials;
         this.userDetails = userDetails;
         this.assertion = assertion;
+        String rememberMeStringValue = (String) assertion.getPrincipal().getAttributes().get(rememberMeAttributeName);
+        this.rememberMe = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue);
         setAuthenticated(true);
     }
 
@@ -121,9 +128,14 @@ public UserDetails getUserDetails() {
         return userDetails;
     }
 
+    public boolean isRememberMe() {
+        return rememberMe;
+    }
+
     public String toString() {
         StringBuilder sb = new StringBuilder();
         sb.append(super.toString());
+        sb.append(" RememberMe: ").append(this.rememberMe);
         sb.append(" Assertion: ").append(this.assertion);
         sb.append(" Credentials (Service/Proxy Ticket): ").append(this.credentials);
 
diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java
index a06b73dfade..bd8e9fe4e05 100644
--- a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java
+++ b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java
@@ -36,8 +36,9 @@
  * The user's browser will be redirected to the JA-SIG CAS enterprise-wide login page.
  * This page is specified by the <code>loginUrl</code> property. Once login is complete, the CAS login page will
  * redirect to the page indicated by the <code>service</code> property. The <code>service</code> is a HTTP URL
- * belonging to the current application. The <code>service</code> URL is monitored by the {@link CasAuthenticationFilter},
- * which will validate the CAS login was successful.
+ * belonging to the current application. The <code>renew</code> parameter can be forced to true when redirecting
+ * to the CAS server. The <code>service</code> URL is monitored by the {@link CasAuthenticationFilter}, which will
+ * validate the CAS login was successful.
  *
  * @author Ben Alex
  * @author Scott Battaglia
@@ -68,11 +69,18 @@ public void afterPropertiesSet() throws Exception {
         Assert.notNull(this.serviceProperties.getService(),"serviceProperties.getService() cannot be null.");
     }
 
+
+    public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response,
+                               final AuthenticationException authenticationException) throws IOException, ServletException {
+        // by default, don't force the renew parameter to true
+        commence(servletRequest, response, authenticationException, false);
+    }
+
     public final void commence(final HttpServletRequest servletRequest, final HttpServletResponse response,
-            final AuthenticationException authenticationException) throws IOException, ServletException {
+            final AuthenticationException authenticationException, boolean forceRenew) throws IOException, ServletException {
 
         final String urlEncodedService = createServiceUrl(servletRequest, response);
-        final String redirectUrl = createRedirectUrl(urlEncodedService);
+        final String redirectUrl = createRedirectUrl(urlEncodedService, forceRenew);
 
         preCommence(servletRequest, response);
 
@@ -91,12 +99,19 @@ protected String createServiceUrl(final HttpServletRequest request, final HttpSe
 
     /**
      * Constructs the Url for Redirection to the CAS server.  Default implementation relies on the CAS client to do the bulk of the work.
+     * The renew parameter can be forced to true if the forceRenew parameter is true.
      *
      * @param serviceUrl the service url that should be included.
+     * @param forceRenew if the renew parameter should be forced to true
      * @return the redirect url.  CANNOT be NULL.
      */
-    protected String createRedirectUrl(final String serviceUrl) {
-        return CommonUtils.constructRedirectUrl(this.loginUrl, this.serviceProperties.getServiceParameter(), serviceUrl, this.serviceProperties.isSendRenew(), false);
+    protected String createRedirectUrl(final String serviceUrl, final boolean forceRenew) {
+        boolean renew = this.serviceProperties.isSendRenew();
+        // if forceRenew is true, the renew parameter is forced to true
+        if (forceRenew) {
+            renew = true;
+        }
+        return CommonUtils.constructRedirectUrl(this.loginUrl, this.serviceProperties.getServiceParameter(), serviceUrl, renew, false);
     }
 
     /**
diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasRememberMeAccessDeniedHandler.java b/cas/src/main/java/org/springframework/security/cas/web/CasRememberMeAccessDeniedHandler.java
new file mode 100644
index 00000000000..f0ce8c69483
--- /dev/null
+++ b/cas/src/main/java/org/springframework/security/cas/web/CasRememberMeAccessDeniedHandler.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.cas.web;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.savedrequest.RequestCache;
+import org.springframework.util.Assert;
+
+/**
+ * This class represents the <code>AccessDeniedHandlerImpl</code> dedicated to CAS authentication with remember-me support.
+ * 
+ * @author Jerome Leleu
+ * @since 3.2.0
+ */
+public class CasRememberMeAccessDeniedHandler extends AccessDeniedHandlerImpl implements InitializingBean {
+    
+    private RequestCache requestCache = new HttpSessionRequestCache();
+    
+    private CasAuthenticationEntryPoint casAuthenticationEntryPoint;
+    
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
+        throws IOException, ServletException {
+        
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        // if CAS authentication token
+        if (authentication != null && authentication instanceof CasAuthenticationToken) {
+            CasAuthenticationToken casAuthenticationToken = (CasAuthenticationToken) authentication;
+            // in remember-me mode
+            if (casAuthenticationToken.isRememberMe()) {
+                requestCache.saveRequest(request, response);
+                logger.debug("Calling Authentication entry point with renew=true.");
+                casAuthenticationEntryPoint.commence(request, response,
+                    new InsufficientAuthenticationException("Full CAS authentication is required to access this resource"), true);
+                return;
+            }
+        }
+        
+        super.handle(request, response, accessDeniedException);
+    }
+    
+    public RequestCache getRequestCache() {
+        return requestCache;
+    }
+    
+    public void setRequestCache(RequestCache requestCache) {
+        this.requestCache = requestCache;
+    }
+    
+    public CasAuthenticationEntryPoint getCasAuthenticationEntryPoint() {
+        return casAuthenticationEntryPoint;
+    }
+    
+    public void setCasAuthenticationEntryPoint(CasAuthenticationEntryPoint casAuthenticationEntryPoint) {
+        this.casAuthenticationEntryPoint = casAuthenticationEntryPoint;
+    }
+    
+    public void afterPropertiesSet() throws Exception {
+        Assert.notNull(this.casAuthenticationEntryPoint, "casAuthenticationEntryPoint must be specified");
+    }
+}
diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java
index a62d3f60494..c08bb7186dc 100644
--- a/cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/authentication/AbstractStatelessTicketCacheTests.java
@@ -25,7 +25,7 @@ protected CasAuthenticationToken getToken() {
         final Assertion assertion = new AssertionImpl("rod");
 
         return new CasAuthenticationToken("key", user, "ST-0-ER94xMJmn6pha35CQRoZ",
-                AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"), user, assertion);
+                AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"), user, assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
     }
 
 }
diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
index 495ded74d83..5c0ab2b03a9 100644
--- a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
@@ -18,6 +18,8 @@
 import static org.mockito.Mockito.*;
 import static org.junit.Assert.*;
 
+import org.jasig.cas.client.authentication.AttributePrincipal;
+import org.jasig.cas.client.authentication.AttributePrincipalImpl;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.AssertionImpl;
 import org.jasig.cas.client.validation.TicketValidationException;
@@ -50,6 +52,7 @@
  */
 @SuppressWarnings("unchecked")
 public class CasAuthenticationProviderTests {
+    public static final String TEST_REMEMBERME_ATTRIBUTE_NAME = "testRememberMeName";
     //~ Methods ========================================================================================================
 
     private UserDetails makeUserDetails() {
@@ -80,7 +83,7 @@ public void statefulAuthenticationIsSuccessful() throws Exception {
         cap.setStatelessTicketCache(cache);
         cap.setServiceProperties(makeServiceProperties());
 
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.afterPropertiesSet();
 
         UsernamePasswordAuthenticationToken token =
@@ -103,15 +106,61 @@ public void statefulAuthenticationIsSuccessful() throws Exception {
         assertTrue(casResult.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_B")));
         assertEquals(cap.getKey().hashCode(), casResult.getKeyHash());
         assertEquals("details", casResult.getDetails());
+        assertFalse(casResult.isRememberMe());
 
         // Now confirm the CasAuthenticationToken is automatically re-accepted.
         // To ensure TicketValidator not called again, set it to deliver an exception...
-        cap.setTicketValidator(new MockTicketValidator(false));
+        cap.setTicketValidator(new MockTicketValidator(false, null));
 
         Authentication laterResult = cap.authenticate(result);
         assertEquals(result, laterResult);
     }
 
+    @Test
+    public void testRememberMeDefaultAttributeName() throws Exception {
+        CasAuthenticationProvider cap = new CasAuthenticationProvider();
+        cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
+        cap.setKey("qwerty");
+
+        StatelessTicketCache cache = new MockStatelessTicketCache();
+        cap.setStatelessTicketCache(cache);
+        cap.setServiceProperties(makeServiceProperties());
+
+        cap.setTicketValidator(new MockTicketValidator(true, CasAuthenticationProvider.DEFAULT_REMEMBERME_ATTRIBUTE_NAME));
+        cap.afterPropertiesSet();
+
+        UsernamePasswordAuthenticationToken token =
+            new UsernamePasswordAuthenticationToken(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-124");
+
+        Authentication result = cap.authenticate(token);
+
+        CasAuthenticationToken casResult = (CasAuthenticationToken) result;
+        assertTrue(casResult.isRememberMe());
+    }
+
+    @Test
+    public void testRememberMeNewAttributeName() throws Exception {
+        CasAuthenticationProvider cap = new CasAuthenticationProvider();
+        cap.setRememberMeAttributeName(TEST_REMEMBERME_ATTRIBUTE_NAME);
+        cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
+        cap.setKey("qwerty");
+
+        StatelessTicketCache cache = new MockStatelessTicketCache();
+        cap.setStatelessTicketCache(cache);
+        cap.setServiceProperties(makeServiceProperties());
+
+        cap.setTicketValidator(new MockTicketValidator(true, TEST_REMEMBERME_ATTRIBUTE_NAME));
+        cap.afterPropertiesSet();
+
+        UsernamePasswordAuthenticationToken token =
+            new UsernamePasswordAuthenticationToken(CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER, "ST-125");
+
+        Authentication result = cap.authenticate(token);
+
+        CasAuthenticationToken casResult = (CasAuthenticationToken) result;
+        assertTrue(casResult.isRememberMe());
+    }
+
     @Test
     public void statelessAuthenticationIsSuccessful() throws Exception {
         CasAuthenticationProvider cap = new CasAuthenticationProvider();
@@ -120,7 +169,7 @@ public void statelessAuthenticationIsSuccessful() throws Exception {
 
         StatelessTicketCache cache = new MockStatelessTicketCache();
         cap.setStatelessTicketCache(cache);
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
@@ -143,7 +192,7 @@ public void statelessAuthenticationIsSuccessful() throws Exception {
 
         // Now try to authenticate again. To ensure TicketValidator not
         // called again, set it to deliver an exception...
-        cap.setTicketValidator(new MockTicketValidator(false));
+        cap.setTicketValidator(new MockTicketValidator(false, null));
 
         // Previously created UsernamePasswordAuthenticationToken is OK
         Authentication newResult = cap.authenticate(token);
@@ -240,7 +289,7 @@ public void missingTicketIdIsDetected() throws Exception {
 
         StatelessTicketCache cache = new MockStatelessTicketCache();
         cap.setStatelessTicketCache(cache);
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
@@ -259,12 +308,12 @@ public void invalidKeyIsDetected() throws Exception {
 
         StatelessTicketCache cache = new MockStatelessTicketCache();
         cap.setStatelessTicketCache(cache);
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
         CasAuthenticationToken token = new CasAuthenticationToken("WRONG_KEY", makeUserDetails(), "credentials",
-                AuthorityUtils.createAuthorityList("XX"), makeUserDetails(), assertion);
+                AuthorityUtils.createAuthorityList("XX"), makeUserDetails(), assertion, TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         cap.authenticate(token);
     }
@@ -274,7 +323,7 @@ public void detectsMissingAuthoritiesPopulator() throws Exception {
         CasAuthenticationProvider cap = new CasAuthenticationProvider();
         cap.setKey("qwerty");
         cap.setStatelessTicketCache(new MockStatelessTicketCache());
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
     }
@@ -284,7 +333,7 @@ public void detectsMissingKey() throws Exception {
         CasAuthenticationProvider cap = new CasAuthenticationProvider();
         cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
         cap.setStatelessTicketCache(new MockStatelessTicketCache());
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
     }
@@ -296,7 +345,7 @@ public void detectsMissingStatelessTicketCache() throws Exception {
         cap.setStatelessTicketCache(null);
         cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
         cap.setKey("qwerty");
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
     }
@@ -317,7 +366,7 @@ public void gettersAndSettersMatch() throws Exception {
         cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
         cap.setKey("qwerty");
         cap.setStatelessTicketCache(new MockStatelessTicketCache());
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
@@ -334,7 +383,7 @@ public void ignoresClassesItDoesNotSupport() throws Exception {
         cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
         cap.setKey("qwerty");
         cap.setStatelessTicketCache(new MockStatelessTicketCache());
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
@@ -351,7 +400,7 @@ public void ignoresUsernamePasswordAuthenticationTokensWithoutCasIdentifiersAsPr
         cap.setAuthenticationUserDetailsService(new MockAuthoritiesPopulator());
         cap.setKey("qwerty");
         cap.setStatelessTicketCache(new MockStatelessTicketCache());
-        cap.setTicketValidator(new MockTicketValidator(true));
+        cap.setTicketValidator(new MockTicketValidator(true, null));
         cap.setServiceProperties(makeServiceProperties());
         cap.afterPropertiesSet();
 
@@ -398,15 +447,27 @@ public void removeTicketFromCache(String serviceTicket) {
 
     private class MockTicketValidator implements TicketValidator {
         private boolean returnTicket;
+        private String rememberMeAttributeName;
 
-        public MockTicketValidator(boolean returnTicket) {
+        public MockTicketValidator(boolean returnTicket, String rememberMeAttributeName) {
             this.returnTicket = returnTicket;
+            this.rememberMeAttributeName = rememberMeAttributeName;
         }
 
+        @SuppressWarnings("rawtypes")
         public Assertion validate(final String ticket, final String service)
                 throws TicketValidationException {
             if (returnTicket) {
-                return new AssertionImpl("rod");
+                Assertion assertion;
+                if (rememberMeAttributeName != null) {
+                    Map attributes = new HashMap();
+                    attributes.put(rememberMeAttributeName, "true");
+                    final AttributePrincipal principal = new AttributePrincipalImpl("rod", attributes);
+                    assertion = new AssertionImpl(principal);
+                } else {
+                    assertion = new AssertionImpl("rod");
+                }
+                return assertion;
             }
             throw new BadCredentialsException("As requested from mock");
         }
diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java
index 16dc11f1d67..c9ee389cffa 100644
--- a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationTokenTests.java
@@ -16,6 +16,9 @@
 package org.springframework.security.cas.authentication;
 
 import junit.framework.TestCase;
+
+import org.jasig.cas.client.authentication.AttributePrincipal;
+import org.jasig.cas.client.authentication.AttributePrincipalImpl;
 import org.jasig.cas.client.validation.Assertion;
 import org.jasig.cas.client.validation.AssertionImpl;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -50,51 +53,59 @@ public final void setUp() throws Exception {
     public void testConstructorRejectsNulls() {
         final Assertion assertion = new AssertionImpl("test");
         try {
-            new CasAuthenticationToken(null, makeUserDetails(), "Password", ROLES, makeUserDetails(), assertion);
+            new CasAuthenticationToken(null, makeUserDetails(), "Password", ROLES, makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
         }
 
         try {
-            new CasAuthenticationToken("key", null, "Password", ROLES, makeUserDetails(), assertion);
+            new CasAuthenticationToken("key", null, "Password", ROLES, makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
         }
 
         try {
-            new CasAuthenticationToken("key", makeUserDetails(), null, ROLES, makeUserDetails(), assertion);
+            new CasAuthenticationToken("key", makeUserDetails(), null, ROLES, makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
         }
 
         try {
-            new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES, makeUserDetails(), null);
+            new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES, makeUserDetails(), null, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
         }
 
         try {
-            new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES, null, assertion);
+            new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES, null, assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
         }
 
         try {
-            new CasAuthenticationToken("key", makeUserDetails(), "Password", AuthorityUtils.createAuthorityList("ROLE_1", null), makeUserDetails(), assertion);
+            new CasAuthenticationToken("key", makeUserDetails(), "Password", AuthorityUtils.createAuthorityList("ROLE_1", null),
+                                       makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
             fail("Should have thrown IllegalArgumentException");
         } catch (IllegalArgumentException expected) {
             assertTrue(true);
         }
-    }
+
+        try {
+            new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES, makeUserDetails(), assertion, null);
+            fail("Should have thrown IllegalArgumentException");
+        } catch (IllegalArgumentException expected) {
+            assertTrue(true);
+        }
+}
 
     public void testEqualsWhenEqual() {
         final Assertion assertion = new AssertionImpl("test");
 
         CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         CasAuthenticationToken token2 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         assertEquals(token1, token2);
     }
@@ -103,7 +114,7 @@ public void testGetters() {
         // Build the proxy list returned in the ticket from CAS
         final Assertion assertion = new AssertionImpl("test");
         CasAuthenticationToken token = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
         assertEquals("key".hashCode(), token.getKeyHash());
         assertEquals(makeUserDetails(), token.getPrincipal());
         assertEquals("Password", token.getCredentials());
@@ -111,6 +122,7 @@ public void testGetters() {
         assertTrue(token.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_TWO")));
         assertEquals(assertion, token.getAssertion());
         assertEquals(makeUserDetails().getUsername(), token.getUserDetails().getUsername());
+        assertFalse(token.isRememberMe());
     }
 
     public void testNoArgConstructorDoesntExist() {
@@ -126,10 +138,10 @@ public void testNotEqualsDueToAbstractParentEqualsCheck() {
         final Assertion assertion = new AssertionImpl("test");
 
         CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         CasAuthenticationToken token2 = new CasAuthenticationToken("key", makeUserDetails("OTHER_NAME"), "Password",
-                ROLES, makeUserDetails(), assertion);
+                ROLES, makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         assertTrue(!token1.equals(token2));
     }
@@ -138,7 +150,7 @@ public void testNotEqualsDueToDifferentAuthenticationClass() {
         final Assertion assertion = new AssertionImpl("test");
 
         CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         UsernamePasswordAuthenticationToken token2 = new UsernamePasswordAuthenticationToken("Test", "Password", ROLES);
         assertTrue(!token1.equals(token2));
@@ -148,10 +160,10 @@ public void testNotEqualsDueToKey() {
         final Assertion assertion = new AssertionImpl("test");
 
         CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         CasAuthenticationToken token2 = new CasAuthenticationToken("DIFFERENT_KEY", makeUserDetails(), "Password",
-                ROLES, makeUserDetails(), assertion);
+                ROLES, makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         assertTrue(!token1.equals(token2));
     }
@@ -161,10 +173,10 @@ public void testNotEqualsDueToAssertion() {
         final Assertion assertion2 = new AssertionImpl("test");
 
         CasAuthenticationToken token1 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         CasAuthenticationToken token2 = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion2);
+                makeUserDetails(), assertion2, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
 
         assertTrue(!token1.equals(token2));
     }
@@ -172,16 +184,29 @@ public void testNotEqualsDueToAssertion() {
     public void testSetAuthenticated() {
         final Assertion assertion = new AssertionImpl("test");
         CasAuthenticationToken token = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
         assertTrue(token.isAuthenticated());
         token.setAuthenticated(false);
         assertTrue(!token.isAuthenticated());
     }
 
+    @SuppressWarnings({
+        "rawtypes", "unchecked"
+    })
+    public void testIsRemember() {
+        Map attributes = new HashMap();
+        attributes.put(CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME, "true");
+        final AttributePrincipal principal = new AttributePrincipalImpl("test", attributes);
+        final Assertion assertion = new AssertionImpl(principal);
+        CasAuthenticationToken token = new CasAuthenticationToken("key", makeUserDetails(), "Password", ROLES,
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
+        assertTrue(token.isRememberMe());
+    }
+
     public void testToString() {
         final Assertion assertion = new AssertionImpl("test");
         CasAuthenticationToken token = new CasAuthenticationToken("key", makeUserDetails(), "Password",ROLES,
-                makeUserDetails(), assertion);
+                makeUserDetails(), assertion, CasAuthenticationProviderTests.TEST_REMEMBERME_ATTRIBUTE_NAME);
         String result = token.toString();
         assertTrue(result.lastIndexOf("Credentials (Service/Proxy Ticket):") != -1);
     }
diff --git a/cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java b/cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java
index 5349fc4e944..449de1a241d 100644
--- a/cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationEntryPointTests.java
@@ -108,4 +108,25 @@ public void testNormalOperationWithRenewTrue() throws Exception {
             + URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8") + "&renew=true",
             response.getRedirectedUrl());
     }
+
+    public void testNormalOperationWithForceRenewTrue() throws Exception {
+        ServiceProperties sp = new ServiceProperties();
+        sp.setSendRenew(false);
+        sp.setService("https://mycompany.com/bigWebApp/j_spring_cas_security_check");
+
+        CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();
+        ep.setLoginUrl("https://cas/login");
+        ep.setServiceProperties(sp);
+
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setRequestURI("/some_path");
+
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        ep.afterPropertiesSet();
+        ep.commence(request, response, null, true);
+        assertEquals("https://cas/login?service="
+            + URLEncoder.encode("https://mycompany.com/bigWebApp/j_spring_cas_security_check", "UTF-8") + "&renew=true",
+            response.getRedirectedUrl());
+    }
 }
diff --git a/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolverImpl.java b/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolverImpl.java
index 8dc03cdfbfc..3f5955baa94 100644
--- a/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolverImpl.java
+++ b/core/src/main/java/org/springframework/security/authentication/AuthenticationTrustResolverImpl.java
@@ -21,12 +21,14 @@
 /**
  * Basic implementation of {@link AuthenticationTrustResolver}.
  * <p>
- * Makes trust decisions based on whether the passed <code>Authentication</code> is an instance of a defined class.
+ * Makes trust decisions based on whether the passed <code>Authentication</code> is an instance of a defined class or
+ * implements the {@link RememberMeAware} interface and its <code>isRemember()</code> method returns <code>true</code>.
  * <p>
  * If {@link #anonymousClass} or {@link #rememberMeClass} is <code>null</code>, the corresponding method will
  * always return <code>false</code>.
  *
  * @author Ben Alex
+ * @see RememberMeAware#isRememberMe()
  */
 public class AuthenticationTrustResolverImpl implements AuthenticationTrustResolver {
     //~ Instance fields ================================================================================================
@@ -57,7 +59,15 @@ public boolean isRememberMe(Authentication authentication) {
             return false;
         }
 
-        return rememberMeClass.isAssignableFrom(authentication.getClass());
+        if (rememberMeClass.isAssignableFrom(authentication.getClass())) {
+            return true;
+        }
+        
+        if (authentication instanceof RememberMeAware) {
+            return ((RememberMeAware) authentication).isRememberMe();
+        }
+        
+        return false;
     }
 
     public void setAnonymousClass(Class<? extends Authentication> anonymousClass) {
diff --git a/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java b/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java
index 2315f0fab89..a54e6ad62a9 100644
--- a/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/RememberMeAuthenticationToken.java
@@ -30,7 +30,7 @@
  * @author Ben Alex
  * @author Luke Taylor
  */
-public class RememberMeAuthenticationToken extends AbstractAuthenticationToken {
+public class RememberMeAuthenticationToken extends AbstractAuthenticationToken implements RememberMeAware {
 
     private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
@@ -99,4 +99,12 @@ public boolean equals(Object obj) {
         return false;
     }
 
+    /**
+     * This method always returns true as a <code>RememberMeAuthenticationToken</code> is always considered as remember-me.
+     * 
+     * @return true
+     */
+    public final boolean isRememberMe() {
+        return true;
+    }
 }
diff --git a/core/src/main/java/org/springframework/security/authentication/RememberMeAware.java b/core/src/main/java/org/springframework/security/authentication/RememberMeAware.java
new file mode 100644
index 00000000000..70baa1d5412
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/authentication/RememberMeAware.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authentication;
+
+/**
+ * This interface represents the ability for an authentication token to be considered as remember-me.
+ * 
+ * @author Jerome Leleu
+ * @since 3.2.0
+ */
+public interface RememberMeAware {
+    
+    public boolean isRememberMe();
+}
diff --git a/core/src/main/java/org/springframework/security/authentication/TestingAuthenticationToken.java b/core/src/main/java/org/springframework/security/authentication/TestingAuthenticationToken.java
index fe2f0b476d0..f0bf53f5684 100644
--- a/core/src/main/java/org/springframework/security/authentication/TestingAuthenticationToken.java
+++ b/core/src/main/java/org/springframework/security/authentication/TestingAuthenticationToken.java
@@ -15,7 +15,6 @@
 
 package org.springframework.security.authentication;
 
-import java.util.Arrays;
 import java.util.List;
 
 import org.springframework.security.core.GrantedAuthority;
@@ -29,12 +28,13 @@
  *
  * @author Ben Alex
  */
-public class TestingAuthenticationToken extends AbstractAuthenticationToken {
+public class TestingAuthenticationToken extends AbstractAuthenticationToken implements RememberMeAware {
     //~ Instance fields ================================================================================================
 
     private static final long serialVersionUID = 1L;
     private final Object credentials;
     private final Object principal;
+    private final boolean isRemember;
 
     //~ Constructors ===================================================================================================
 
@@ -42,6 +42,7 @@ public TestingAuthenticationToken(Object principal, Object credentials) {
         super(null);
         this.principal = principal;
         this.credentials = credentials;
+        this.isRemember = false;
     }
 
     public TestingAuthenticationToken(Object principal, Object credentials, String... authorities) {
@@ -53,6 +54,14 @@ public TestingAuthenticationToken(Object principal, Object credentials, List<Gra
         super(authorities);
         this.principal = principal;
         this.credentials = credentials;
+        this.isRemember = false;
+    }
+
+    public TestingAuthenticationToken(Object principal, Object credentials, List<GrantedAuthority> authorities, boolean isRemember) {
+        super(authorities);
+        this.principal = principal;
+        this.credentials = credentials;
+        this.isRemember = isRemember;
     }
 
     //~ Methods ========================================================================================================
@@ -64,4 +73,8 @@ public Object getCredentials() {
     public Object getPrincipal() {
         return this.principal;
     }
+
+    public boolean isRememberMe() {
+        return isRemember;
+    }
 }
diff --git a/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java b/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java
index 9acd77f1825..b74c661f450 100644
--- a/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/AuthenticationTrustResolverImplTests.java
@@ -45,7 +45,9 @@ public void testCorrectOperationIsRememberMe() {
         AuthenticationTrustResolverImpl trustResolver = new AuthenticationTrustResolverImpl();
         assertTrue(trustResolver.isRememberMe(
                 new RememberMeAuthenticationToken("ignored", "ignored", AuthorityUtils.createAuthorityList("ignored"))));
-        assertFalse(trustResolver.isAnonymous(
+        assertTrue(trustResolver.isRememberMe(
+                new TestingAuthenticationToken("ignored", "ignored", AuthorityUtils.createAuthorityList("ignored"), true)));
+        assertFalse(trustResolver.isRememberMe(
                 new TestingAuthenticationToken("ignored", "ignored", AuthorityUtils.createAuthorityList("ignored"))));
     }
 
diff --git a/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/CasSampleRememberMeTests.groovy b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/CasSampleRememberMeTests.groovy
new file mode 100644
index 00000000000..533c5e50748
--- /dev/null
+++ b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/CasSampleRememberMeTests.groovy
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples.cas
+
+import geb.spock.*
+
+import org.junit.runner.RunWith;
+import org.spockframework.runtime.Sputnik;
+import org.springframework.security.samples.cas.pages.*
+
+import spock.lang.Shared;
+import spock.lang.Stepwise;
+
+/**
+ * Tests the remember-me feature in the CAS sample application.
+ *
+ * @author Jerome Leleu
+ * @since 3.2.0
+ */
+@Stepwise
+class CasSampleRememberMeTests extends AbstractCasTests {
+
+    def 'access isFullyAuthenticated page, authenticate with rme, logout from application'() {
+        when: 'Unauthenticated user accesses the isFullyAuthenticated page'
+        to IsFullyAuthenticatedPage
+        then: 'The login page is displayed'
+        at LoginPage
+        when: 'login with ROLE_USER after requesting the isFullyAuthenticated page'
+        login 'scott', true
+        then: 'the isFullyAuthenticated page is displayed'
+        at IsFullyAuthenticatedPage
+        navModule.logout.click()
+     }
+        
+     def 'request isFullyAuthenticated page and be redirected to login page'() {    
+        when: 'Unauthenticated user accesses the isFullyAuthenticated page'
+        to IsFullyAuthenticatedPage
+        then: 'The login page is displayed'
+        at LoginPage        
+    }
+
+    def 'request isAuthenticated page and access to it'() {
+        when: 'Unauthenticated user accesses the isAuthenticated page'
+        to IsAuthenticatedPage
+        then: 'The isAuthenticated page is displayed'
+        at IsAuthenticatedPage
+    }
+}
diff --git a/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsAuthenticatedPage.groovy b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsAuthenticatedPage.groovy
new file mode 100644
index 00000000000..28cc728dc80
--- /dev/null
+++ b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsAuthenticatedPage.groovy
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples.cas.pages;
+
+import geb.*
+import org.springframework.security.samples.cas.modules.*
+
+
+/**
+ * Represents the "isAuthenticated" page within the CAS Sample application.
+ *
+ * @author Jerome Leleu
+ * @since 3.2.0
+ */
+class IsAuthenticatedPage extends Page {
+    static url = "auth/"
+    static at = { assert $('h1').text() == 'isAuthenticated() Page'; true}
+    static content = {
+        navModule { module NavModule }
+    }
+}
\ No newline at end of file
diff --git a/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsFullyAuthenticatedPage.groovy b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsFullyAuthenticatedPage.groovy
new file mode 100644
index 00000000000..8ee64691e72
--- /dev/null
+++ b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/IsFullyAuthenticatedPage.groovy
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2012 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.samples.cas.pages;
+
+import geb.*
+import org.springframework.security.samples.cas.modules.*
+
+
+/**
+ * Represents the "isFullyAuthenticated" page within the CAS Sample application.
+ *
+ * @author Jerome Leleu
+ * @since 3.2.0
+ */
+class IsFullyAuthenticatedPage extends Page {
+    static url = "fully/"
+    static at = { assert $('h1').text() == 'isFullyAuthenticated() Page'; true}
+    static content = {
+        navModule { module NavModule }
+    }
+}
\ No newline at end of file
diff --git a/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/LoginPage.groovy b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/LoginPage.groovy
index 5f7793e84ed..54a61cbb63f 100644
--- a/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/LoginPage.groovy
+++ b/samples/cas/sample/src/integration-test/groovy/org/springframework/security/samples/cas/pages/LoginPage.groovy
@@ -26,9 +26,10 @@ class LoginPage extends Page {
     static url = loginUrl()
     static at = { assert driver.currentUrl.startsWith(loginUrl()); true}
     static content = {
-        login(required:false) { user, password=user ->
+        login(required:false) { user, rme=false, password=user ->
             loginForm.username = user
             loginForm.password = password
+            loginForm.rememberMe = rme
             submit.click()
         }
         loginForm { $('#login') }
diff --git a/samples/cas/sample/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/cas/sample/src/main/webapp/WEB-INF/applicationContext-security.xml
index 1efc9e0f56f..f82262ca006 100644
--- a/samples/cas/sample/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/cas/sample/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -16,8 +16,13 @@
         <intercept-url pattern="/cas-logout.jsp" access="permitAll"/>
         <intercept-url pattern="/casfailed.jsp" access="permitAll"/>
 
-        <intercept-url pattern="/secure/extreme/**"
-            access="hasRole('ROLE_SUPERVISOR')" />
+        <!-- to test CAS remember-me -->
+        <access-denied-handler ref="casRememberMeAccessDeniedHandler" />
+        <intercept-url pattern="/fully/**" access="isFullyAuthenticated()" />
+        <intercept-url pattern="/auth/**" access="isAuthenticated()" />
+        <!-- to test CAS remember-me -->
+
+        <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_SUPERVISOR')" />
         <intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')" />
         <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
         <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
@@ -26,6 +31,10 @@
         <logout logout-success-url="/cas-logout.jsp"/>
     </http>
 
+    <!-- to handle CAS remember-me -->
+    <b:bean id="casRememberMeAccessDeniedHandler" class="org.springframework.security.cas.web.CasRememberMeAccessDeniedHandler"
+      p:casAuthenticationEntryPoint-ref="casEntryPoint" />
+
     <authentication-manager alias="authManager">
         <authentication-provider ref="casAuthProvider" />
     </authentication-manager>
diff --git a/samples/cas/sample/src/main/webapp/auth/index.jsp b/samples/cas/sample/src/main/webapp/auth/index.jsp
new file mode 100644
index 00000000000..326745b7448
--- /dev/null
+++ b/samples/cas/sample/src/main/webapp/auth/index.jsp
@@ -0,0 +1,6 @@
+<html>
+<body>
+<h1>isAuthenticated() Page</h1>
+<p>This is a protected page. You can get to me if you've been authenticated.</p>
+</body>
+</html>
\ No newline at end of file
diff --git a/samples/cas/sample/src/main/webapp/fully/index.jsp b/samples/cas/sample/src/main/webapp/fully/index.jsp
new file mode 100644
index 00000000000..c3018c72c81
--- /dev/null
+++ b/samples/cas/sample/src/main/webapp/fully/index.jsp
@@ -0,0 +1,7 @@
+<html>
+<body>
+<h1>isFullyAuthenticated() Page</h1>
+<p>This is a protected page. You can get to me if you've authenticated this session.</p>
+<a href="../j_spring_security_logout">Logout</a>
+</body>
+</html>
\ No newline at end of file
diff --git a/samples/cas/sample/src/main/webapp/index.jsp b/samples/cas/sample/src/main/webapp/index.jsp
index 546d5996d76..e3594578cbc 100644
--- a/samples/cas/sample/src/main/webapp/index.jsp
+++ b/samples/cas/sample/src/main/webapp/index.jsp
@@ -6,6 +6,8 @@
 <p>Your principal object is....: <%= request.getUserPrincipal() %></p>
 
 <p><a href="secure/index.jsp">Secure page</a></p>
+<p><a href="fully/index.jsp">isFullyAuthenticated() page</a></p>
+<p><a href="auth/index.jsp">isAuthenticated() page</a></p>
 <p><a href="secure/ptSample">Proxy Ticket Sample page</a></p>
 <p><a href="secure/extreme/index.jsp">Extremely secure page</a></p>
 </body>
diff --git a/samples/cas/server/casserver.gradle b/samples/cas/server/casserver.gradle
index d3d98dc825f..50d5e63f8da 100644
--- a/samples/cas/server/casserver.gradle
+++ b/samples/cas/server/casserver.gradle
@@ -9,7 +9,7 @@ configurations {
     casServer
 }
 dependencies {
-    casServer "org.jasig.cas:cas-server-webapp:3.4.3.1@war"
+    casServer "org.jasig.cas:cas-server-webapp:3.5.0@war"
 }
 
 task casServerOverlay(type: Sync) {
diff --git a/samples/cas/server/src/main/webapp/WEB-INF/deployerConfigContext.xml b/samples/cas/server/src/main/webapp/WEB-INF/deployerConfigContext.xml
new file mode 100644
index 00000000000..61d5a9753d2
--- /dev/null
+++ b/samples/cas/server/src/main/webapp/WEB-INF/deployerConfigContext.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+    <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
+
+        <property name="authenticationMetaDataPopulators">
+            <list>
+                <bean class="org.jasig.cas.authentication.principal.RememberMeAuthenticationMetaDataPopulator" />
+            </list>
+        </property>
+
+        <property name="credentialsToPrincipalResolvers">
+            <list>
+                <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
+                <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
+            </list>
+        </property>
+
+        <property name="authenticationHandlers">
+            <list>
+                <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
+                <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
+            </list>
+        </property>
+    </bean>
+
+
+    <sec:user-service id="userDetailsService">
+        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
+    </sec:user-service>
+
+    <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
+        <property name="backingMap">
+            <map>
+                <entry key="uid" value="uid" />
+                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
+                <entry key="groupMembership" value="groupMembership" />
+            </map>
+        </property>
+    </bean>
+
+    <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
+        <property name="registeredServices">
+            <list>
+                <bean class="org.jasig.cas.services.RegexRegisteredService">
+                    <property name="id" value="0" />
+                    <property name="name" value="HTTP and IMAP" />
+                    <property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
+                    <property name="serviceId" value="^(https?|imaps?)://.*" />
+                    <property name="evaluationOrder" value="10000001" />
+                </bean>
+                <!-- Use the following definition instead of the above to further restrict access to services within your domain (including subdomains). Note that example.com must be replaced with the domain you wish to permit. -->
+                <!-- <bean class="org.jasig.cas.services.RegexRegisteredService"> <property name="id" value="1" /> <property name="name" value="HTTP and IMAP on example.com" /> <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" /> <property name="serviceId" 
+                    value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> <property name="evaluationOrder" value="0" /> </bean> -->
+            </list>
+        </property>
+    </bean>
+
+    <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
+
+    <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
+        <property name="monitors">
+            <list>
+                <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />
+                <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry" p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" />
+            </list>
+        </property>
+    </bean>
+</beans>
diff --git a/samples/cas/server/src/main/webapp/WEB-INF/login-webflow.xml b/samples/cas/server/src/main/webapp/WEB-INF/login-webflow.xml
new file mode 100644
index 00000000000..c766186d6d1
--- /dev/null
+++ b/samples/cas/server/src/main/webapp/WEB-INF/login-webflow.xml
@@ -0,0 +1,217 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to Jasig under one or more contributor license
+  ~ agreements. See the NOTICE file distributed with this work
+  ~ for additional information regarding copyright ownership.
+  ~ Jasig licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file
+  ~ except in compliance with the License.  You may obtain a
+  ~ copy of the License at the following location:
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<flow xmlns="http://www.springframework.org/schema/webflow"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://www.springframework.org/schema/webflow
+                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">
+
+    <var name="credentials" class="org.jasig.cas.authentication.principal.RememberMeUsernamePasswordCredentials" />
+    
+    <on-start>
+        <evaluate expression="initialFlowSetupAction" />
+    </on-start>
+
+	<decision-state id="ticketGrantingTicketExistsCheck">
+		<if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" />
+	</decision-state>
+    
+	<decision-state id="gatewayRequestCheck">
+		<if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="generateLoginTicket" />
+	</decision-state>
+	
+	<decision-state id="hasServiceCheck">
+		<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
+	</decision-state>
+	
+	<decision-state id="renewRequestCheck">
+		<if test="requestParameters.renew != '' and requestParameters.renew != null" then="generateLoginTicket" else="generateServiceTicket" />
+	</decision-state>
+	
+	<!-- 
+		The "warn" action makes the determination of whether to redirect directly to the requested
+		service or display the "confirmation" page to go back to the server.
+	-->
+	<decision-state id="warn">
+		<if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" />
+	</decision-state>
+	
+	<!-- 
+	<action-state id="startAuthenticate">
+		<action bean="x509Check" />
+		<transition on="success" to="sendTicketGrantingTicket" />
+		<transition on="warn" to="warn" />
+		<transition on="error" to="generateLoginTicket" />
+	</action-state>
+	 -->
+    
+    <!--
+   		LPPE transitions begin here: You will also need to
+   		move over the 'lppe-configuration.xml' file from the
+   		'unused-spring-configuration' folder to the 'spring-configuration' folder
+   		so CAS can pick up the definition for the bean 'passwordPolicyAction'.
+   	-->
+	<action-state id="passwordPolicyCheck">
+		<evaluate expression="passwordPolicyAction" />
+		<transition on="showWarning" to="passwordServiceCheck" />
+		<transition on="success" to="sendTicketGrantingTicket" />
+		<transition on="error" to="viewLoginForm" />
+	</action-state>
+
+	<action-state id="passwordServiceCheck">
+		<evaluate expression="sendTicketGrantingTicketAction" />
+		<transition to="passwordPostCheck" />
+	</action-state>
+
+	<decision-state id="passwordPostCheck">
+		<if test="flowScope.service != null" then="warnPassRedirect" else="pwdWarningPostView" />
+	</decision-state>
+
+	<action-state id="warnPassRedirect">
+		<evaluate expression="generateServiceTicketAction" />
+		<transition on="success" to="pwdWarningPostView" />
+		<transition on="error" to="generateLoginTicket" />
+		<transition on="gateway" to="gatewayServicesManagementCheck" />
+	</action-state>
+
+	<end-state id="pwdWarningAbstractView">
+		<on-entry>
+			<set name="flowScope.passwordPolicyUrl" value="passwordPolicyAction.getPasswordPolicyUrl()" />
+		</on-entry>
+	</end-state>
+	<end-state id="pwdWarningPostView" view="casWarnPassView" parent="#pwdWarningAbstractView" />
+	<end-state id="casExpiredPassView" view="casExpiredPassView" parent="#pwdWarningAbstractView" />
+	<end-state id="casMustChangePassView" view="casMustChangePassView" parent="#pwdWarningAbstractView" />
+	<end-state id="casAccountDisabledView" view="casAccountDisabledView" />
+	<end-state id="casAccountLockedView" view="casAccountLockedView" />
+	<end-state id="casBadHoursView" view="casBadHoursView" />
+	<end-state id="casBadWorkstationView" view="casBadWorkstationView" />
+	<!-- LPPE transitions end here... -->
+	
+	<action-state id="generateLoginTicket">
+        <evaluate expression="generateLoginTicketAction.generate(flowRequestContext)" />
+		<transition on="generated" to="viewLoginForm" />
+	</action-state>
+    
+	<view-state id="viewLoginForm" view="casLoginView" model="credentials">
+        <binder>
+            <binding property="username" />
+            <binding property="password" />
+            <binding property="rememberMe" />
+        </binder>
+        <on-entry>
+            <set name="viewScope.commandName" value="'credentials'" />
+        </on-entry>
+		<transition on="submit" bind="true" validate="true" to="realSubmit">
+            <evaluate expression="authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)" />
+        </transition>
+	</view-state>
+
+  	<action-state id="realSubmit">
+        <evaluate expression="authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext)" />
+        <!--
+	      To enable LPPE on the 'warn' replace the below transition with:
+	      <transition on="warn" to="passwordPolicyCheck" />
+
+	      CAS will attempt to transition to the 'warn' when there's a 'renew' parameter
+	      and there exists a ticketGrantingId and a service for the incoming request.
+	    -->
+		<transition on="warn" to="warn" />
+		<!--
+	      To enable LPPE on the 'success' replace the below transition with:
+	      <transition on="success" to="passwordPolicyCheck" />
+	    -->
+		<transition on="success" to="sendTicketGrantingTicket" />
+		<transition on="error" to="generateLoginTicket" />
+		<transition on="accountDisabled" to="casAccountDisabledView" />
+	    <transition on="mustChangePassword" to="casMustChangePassView" />
+	    <transition on="accountLocked" to="casAccountLockedView" />
+	    <transition on="badHours" to="casBadHoursView" />
+	    <transition on="badWorkstation" to="casBadWorkstationView" />
+	    <transition on="passwordExpired" to="casExpiredPassView" />
+	</action-state>
+	
+	<action-state id="sendTicketGrantingTicket">
+        <evaluate expression="sendTicketGrantingTicketAction" />
+		<transition to="serviceCheck" />
+	</action-state>
+
+	<decision-state id="serviceCheck">
+		<if test="flowScope.service != null" then="generateServiceTicket" else="viewGenericLoginSuccess" />
+	</decision-state>
+	
+	<action-state id="generateServiceTicket">
+        <evaluate expression="generateServiceTicketAction" />
+		<transition on="success" to ="warn" />
+		<transition on="error" to="generateLoginTicket" />
+		<transition on="gateway" to="gatewayServicesManagementCheck" />
+	</action-state>
+
+    <action-state id="gatewayServicesManagementCheck">
+        <evaluate expression="gatewayServicesManagementCheck" />
+        <transition on="success" to="redirect" />
+    </action-state>
+
+    <action-state id="redirect">
+        <evaluate expression="flowScope.service.getResponse(requestScope.serviceTicketId)" result-type="org.jasig.cas.authentication.principal.Response" result="requestScope.response" />
+        <transition to="postRedirectDecision" />
+    </action-state>
+
+    <decision-state id="postRedirectDecision">
+        <if test="requestScope.response.responseType.name() == 'POST'" then="postView" else="redirectView" />
+    </decision-state>
+
+	<!-- 
+		the "viewGenericLogin" is the end state for when a user attempts to login without coming directly from a service.
+		They have only initialized their single-sign on session.
+	-->
+	<end-state id="viewGenericLoginSuccess" view="casLoginGenericSuccessView" />
+
+	<!-- 
+		The "showWarningView" end state is the end state for when the user has requested privacy settings (to be "warned") to be turned on.  It delegates to a 
+		view defines in default_views.properties that display the "Please click here to go to the service." message.
+	-->
+	<end-state id="showWarningView" view="casLoginConfirmView" />
+
+    <end-state id="postView" view="postResponseView">
+        <on-entry>
+            <set name="requestScope.parameters" value="requestScope.response.attributes" />
+            <set name="requestScope.originalUrl" value="flowScope.service.id" />
+        </on-entry>
+    </end-state>
+
+	<!-- 
+		The "redirect" end state allows CAS to properly end the workflow while still redirecting
+		the user back to the service required.
+	-->
+	<end-state id="redirectView" view="externalRedirect:${requestScope.response.url}" />
+	
+	<end-state id="viewServiceErrorView" view="viewServiceErrorView" />
+    
+    <end-state id="viewServiceSsoErrorView" view="viewServiceSsoErrorView" />
+
+	<global-transitions>
+        <!-- CAS-1023 This one is simple - redirects to a login page (same as renew) when 'ssoEnabled' flag is unchecked
+             instead of showing an intermediate unauthorized view with a link to login page -->
+        <transition to="viewLoginForm" on-exception="org.jasig.cas.services.UnauthorizedSsoServiceException"/>
+        <transition to="viewServiceErrorView" on-exception="org.springframework.webflow.execution.repository.NoSuchFlowExecutionException" />
+		<transition to="viewServiceErrorView" on-exception="org.jasig.cas.services.UnauthorizedServiceException" />
+	</global-transitions>
+</flow>
\ No newline at end of file
diff --git a/samples/cas/server/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml b/samples/cas/server/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
new file mode 100644
index 00000000000..4b93d221eda
--- /dev/null
+++ b/samples/cas/server/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- ~ Licensed to Jasig under one or more contributor license ~ agreements. See the NOTICE file distributed with this work ~ for additional information regarding copyright ownership. ~ Jasig licenses this file to you under the Apache License, ~ Version 2.0 (the "License"); you may 
+    not use this file ~ except in compliance with the License. You may obtain a ~ copy of the License at the following location: ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, ~ software distributed under the License is distributed 
+    on an ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~ KIND, either express or implied. See the License for the ~ specific language governing permissions and limitations ~ under the License. -->
+
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans
+                           http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/util
+                           http://www.springframework.org/schema/util/spring-util.xsd">
+    <description>
+        Assignment of expiration policies for the different tickets generated by CAS including ticket granting ticket
+        (TGT), service ticket (ST), proxy granting ticket (PGT), and proxy ticket (PT).
+        These expiration policies determine how long the ticket they are assigned
+        to can be used and even how often they
+        can be used before becoming expired / invalid.
+    </description>
+
+    <!-- Expiration policies -->
+    <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS" />
+    <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy" c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS" />
+
+    <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy">
+        <property name="sessionExpirationPolicy">
+            <bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
+                <constructor-arg index="0" value="7200000" />
+            </bean>
+        </property>
+        <property name="rememberMeExpirationPolicy">
+            <bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
+                <constructor-arg index="0" value="3600000000" />
+            </bean>
+        </property>
+    </bean>
+</beans>
diff --git a/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp b/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp
new file mode 100644
index 00000000000..4d916f7117c
--- /dev/null
+++ b/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp
@@ -0,0 +1,143 @@
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+
+<%--
+  ~ Licensed to Jasig under one or more contributor license
+  ~ agreements. See the NOTICE file distributed with this work
+  ~ for additional information regarding copyright ownership.
+  ~ Jasig licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file
+  ~ except in compliance with the License.  You may obtain a
+  ~ copy of the License at the following location:
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  --%>
+
+<%@ page contentType="text/html; charset=UTF-8" %>
+<jsp:directive.include file="includes/top.jsp" />
+
+<c:if test="${not pageContext.request.secure}">
+<div id="msg" class="errors">
+    <h2>Non-secure Connection</h2>
+    <p>You are currently accessing CAS over a non-secure connection.  Single Sign On WILL NOT WORK.  In order to have single sign on work, you MUST log in over HTTPS.</p>
+</div>
+</c:if>
+
+  <div class="box fl-panel" id="login">
+			<form:form method="post" id="fm1" cssClass="fm-v clearfix" commandName="${commandName}" htmlEscape="true">
+                  <form:errors path="*" id="msg" cssClass="errors" element="div" />
+                <!-- <spring:message code="screen.welcome.welcome" /> -->
+                    <h2><spring:message code="screen.welcome.instructions" /></h2>
+                    <div class="row fl-controls-left">
+                        <label for="username" class="fl-label"><spring:message code="screen.welcome.label.netid" /></label>
+						<c:if test="${not empty sessionScope.openIdLocalId}">
+						<strong>${sessionScope.openIdLocalId}</strong>
+						<input type="hidden" id="username" name="username" value="${sessionScope.openIdLocalId}" />
+						</c:if>
+
+						<c:if test="${empty sessionScope.openIdLocalId}">
+						<spring:message code="screen.welcome.label.netid.accesskey" var="userNameAccessKey" />
+						<form:input cssClass="required" cssErrorClass="error" id="username" size="25" tabindex="1" accesskey="${userNameAccessKey}" path="username" autocomplete="false" htmlEscape="true" />
+						</c:if>
+                    </div>
+                    <div class="row fl-controls-left">
+                        <label for="password" class="fl-label"><spring:message code="screen.welcome.label.password" /></label>
+						<%--
+						NOTE: Certain browsers will offer the option of caching passwords for a user.  There is a non-standard attribute,
+						"autocomplete" that when set to "off" will tell certain browsers not to prompt to cache credentials.  For more
+						information, see the following web page:
+						http://www.geocities.com/technofundo/tech/web/ie_autocomplete.html
+						--%>
+						<spring:message code="screen.welcome.label.password.accesskey" var="passwordAccessKey" />
+						<form:password cssClass="required" cssErrorClass="error" id="password" size="25" tabindex="2" path="password"  accesskey="${passwordAccessKey}" htmlEscape="true" autocomplete="off" />
+                    </div>
+                    <div class="row check">
+                        <input id="warn" name="warn" value="true" tabindex="3" accesskey="<spring:message code="screen.welcome.label.warn.accesskey" />" type="checkbox" />
+                        <label for="warn"><spring:message code="screen.welcome.label.warn" /></label>
+                    </div>
+                    <div class="row check">
+                        <input id="rememberMe" name="rememberMe" value="true" tabindex="4" type="checkbox" />
+                        <label for="rememberMe">Remember-me</label>
+                    </div>
+                    <div class="row btn-row">
+						<input type="hidden" name="lt" value="${loginTicket}" />
+						<input type="hidden" name="execution" value="${flowExecutionKey}" />
+						<input type="hidden" name="_eventId" value="submit" />
+
+                        <input class="btn-submit" name="submit" accesskey="l" value="<spring:message code="screen.welcome.button.login" />" tabindex="4" type="submit" />
+                        <input class="btn-reset" name="reset" accesskey="c" value="<spring:message code="screen.welcome.button.clear" />" tabindex="5" type="reset" />
+                    </div>
+            </form:form>
+          </div>
+            <div id="sidebar">
+                <p class="fl-panel fl-note fl-bevel-white fl-font-size-80"><spring:message code="screen.welcome.security" /></p>
+                <div id="list-languages" class="fl-panel">
+                <%final String queryString = request.getQueryString() == null ? "" : request.getQueryString().replaceAll("&locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]|^locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]", "");%>
+					<c:set var='query' value='<%=queryString%>' />
+                    <c:set var="xquery" value="${fn:escapeXml(query)}" />
+                  <h3>Languages:</h3>
+                  <c:choose>
+                     <c:when test="${not empty requestScope['isMobile'] and not empty mobileCss}">
+                        <form method="get" action="login?${xquery}">
+                           <select name="locale">
+                               <option value="en">English</option>
+                               <option value="es">Spanish</option>
+                               <option value="fr">French</option>
+                               <option value="ru">Russian</option>
+                               <option value="nl">Nederlands</option>
+                               <option value="sv">Svenskt</option>
+                               <option value="it">Italiano</option>
+                               <option value="ur">Urdu</option>
+                               <option value="zh_CN">Chinese (Simplified)</option>
+                               <option value="zh_TW">Chinese (Traditional)</option>
+                               <option value="de">Deutsch</option>
+                               <option value="ja">Japanese</option>
+                               <option value="hr">Croatian</option>
+                               <option value="cs">Czech</option>
+                               <option value="sl">Slovenian</option>
+                               <option value="pl">Polish</option>
+                               <option value="ca">Catalan</option>
+                               <option value="mk">Macedonian</option>
+                               <option value="fa">Farsi</option>
+                               <option value="ar">Arabic</option>
+                           </select>
+                           <input type="submit" value="Switch">
+                        </form>
+                     </c:when>
+                     <c:otherwise>
+                        <c:set var="loginUrl" value="login?${xquery}${not empty xquery ? '&' : ''}locale=" />
+						<ul
+							><li class="first"><a href="${loginUrl}en">English</a></li
+							><li><a href="${loginUrl}es">Spanish</a></li
+							><li><a href="${loginUrl}fr">French</a></li
+							><li><a href="${loginUrl}ru">Russian</a></li
+							><li><a href="${loginUrl}nl">Nederlands</a></li
+							><li><a href="${loginUrl}sv">Svenskt</a></li
+							><li><a href="${loginUrl}it">Italiano</a></li
+							><li><a href="${loginUrl}ur">Urdu</a></li
+							><li><a href="${loginUrl}zh_CN">Chinese (Simplified)</a></li
+                            ><li><a href="${loginUrl}zh_TW">Chinese (Traditional)</a></li
+							><li><a href="${loginUrl}de">Deutsch</a></li
+							><li><a href="${loginUrl}ja">Japanese</a></li
+							><li><a href="${loginUrl}hr">Croatian</a></li
+							><li><a href="${loginUrl}cs">Czech</a></li
+							><li><a href="${loginUrl}sl">Slovenian</a></li
+                            ><li><a href="${loginUrl}ca">Catalan</a></li
+                            ><li><a href="${loginUrl}mk">Macedonian</a></li
+                            ><li><a href="${loginUrl}fa">Farsi</a></li
+                            ><li><a href="${loginUrl}ar">Arabic</a></li
+							><li class="last"><a href="${loginUrl}pl">Polish</a></li
+						></ul>
+                     </c:otherwise>
+                   </c:choose>
+                </div>
+            </div>
+<jsp:directive.include file="includes/bottom.jsp" />
\ No newline at end of file
diff --git a/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp b/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp
new file mode 100644
index 00000000000..18302653b56
--- /dev/null
+++ b/samples/cas/server/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp
@@ -0,0 +1,37 @@
+<%@ page session="false" %><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %><%--
+  ~ Licensed to Jasig under one or more contributor license
+  ~ agreements. See the NOTICE file distributed with this work
+  ~ for additional information regarding copyright ownership.
+  ~ Jasig licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file
+  ~ except in compliance with the License.  You may obtain a
+  ~ copy of the License at the following location:
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  --%>
+
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+	<cas:authenticationSuccess>
+		<cas:user>${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}</cas:user>
+		<c:if test="${assertion.chainedAuthentications[0].attributes['org.jasig.cas.authentication.principal.REMEMBER_ME'] && !assertion.fromNewLogin}">
+			<cas:attributes><cas:longTermAuthenticationRequestTokenUsed>true</cas:longTermAuthenticationRequestTokenUsed></cas:attributes>
+		</c:if>
+<c:if test="${not empty pgtIou}">
+		<cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>
+</c:if>
+<c:if test="${fn:length(assertion.chainedAuthentications) > 1}">
+		<cas:proxies>
+<c:forEach var="proxy" items="${assertion.chainedAuthentications}" varStatus="loopStatus" begin="0" end="${fn:length(assertion.chainedAuthentications)-2}" step="1">
+			<cas:proxy>${fn:escapeXml(proxy.principal.id)}</cas:proxy>
+</c:forEach>
+		</cas:proxies>
+</c:if>
+	</cas:authenticationSuccess>
+</cas:serviceResponse>
\ No newline at end of file