My "success" is that after 3 unsuccessful auth attempts the fourth one is successful (forwarding me back to the resource being protected).
If the REST API has no throttling support then this may be pointless as protecting the REST API was the purpose of this endeavor. Is there a recommended path to protecting the REST API beyond sensible firewall rules? Thank you much, Mike On Tuesday, April 26, 2016 at 4:20:22 PM UTC-7, Misagh Moayyed wrote: > > REST API has no throttling support. So don’t test that one. Rapid clicking > will likely not produce anything meaningful. You likely need an automated > tool like JMeter and such to throw a load at the server, or turn up logs > and see how CAS is treating every bad authn request. > > > > And when you say “continue to succeed”, how exactly do you define > “success”? Are you looking at HTTP Status codes? UI messages telling you > everything went through and you logged in? > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Mike Richards > *Sent:* Tuesday, April 26, 2016 1:09 PM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* [cas-user] HOWTO: Configure throttling for 4.2? > > > > Hello, > > I'm attempting to configure throttling for a 4.2 installation. As the 4.2 > documentation > <http://jasig.github.io/cas/4.2.x/installation/Configuring-Authentication-Throttling.html> > > appears to be incomplete I've tried to use the 4.1 documentation > <http://jasig.github.io/cas/4.1.x/installation/Configuring-Authentication-Throttling.html> > > as a secondary reference. > > I've done the following: > > - Replace <alias name="neverThrottle" alias="authenticationThrottle" > /> with <alias name="inMemoryIpAddressUsernameThrottle" > alias="authenticationThrottle" /> in deployerConfigContext.xml > - Set the following properties in cas.properties (deployed to > /etc/cas) based on the 4.1 docs > > > - cas.throttle.failure.threshold=5 > - cas.throttle.failure.range.seconds=3 > - cas.throttle.username.parameter=username > > I haven't filled in anything for the following properties; they remain > commented > > - cas.throttle.appcode > - cas.throttle.authn.failurecode > - cas.throttle.audit.query > > > > I've tried testing this two ways: > > - 4 browser windows with rapid clicking (all 4 attempts in less than 3 > seconds) > - 25 login attempts via the REST API (POST against /cas/v1/tickets) > > > Both continue to succeed. Can anyone point out what I'm missing? > > Thank you much, > > Mike > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5221375c-0908-43cd-b137-be0be8031817%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5221375c-0908-43cd-b137-be0be8031817%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a8d32bee-f51a-4438-927f-30503b5dfbb0%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
