Hi, I want to prevent a CAS server from being used to guess passwords, so I'm reading the docs about Authentication Throttling. I find it somewhat confusing, because it is not clear how period and threshold work together. >From the docs:
> All login throttling components that ship with CAS limit successive > failed login attempts that exceed a threshold rate in failures per > second. The following properties are provided to define the failure > rate: > > failureRangeInSeconds: > Period of time in seconds during which the threshold applies. > failureThreshold: > Number of failed login attempts permitted in the above period. On the other hand, I've read in this group > Those throttle settings get reduced to a common denominator. When you > set 3 failures within 15 seconds, it is converted to 1 in 5 seconds. If I'm understanding it correctly, there is no point having two different properties instead of just a hypotetical "secondsBetweenConsecutiveFailures". Besides that, the logged message (e. g. "More than [3] failed login attempts within [15] seconds. Authentication attempt exceeds the failure threshold [3]") is very misleading, as it can be triggered just after two quick failed logins. There is no way for sending the IP/username to the waiting room when failing four times in a minute but not when failing two times in 30 seconds? Regards, -- Alberto Cabello Sánchez Servicio de Informática Universidad de Extremadura -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20190530122543.2bf99b71381af36ccfc48061%40unex.es.
