When turning on SPNEGO (typically for Kerberos SSO), together with CAS mixed authentication turned on (i.e. showing login form when SPNEGO fails), CAS login failure throttling seems to be broken.
Reproduction (tested with the 6.x CAS series, but probably manifests also in other versions): 1. User enters the CAS login page and SPNEGO fails for whatever reason (e.g. when in a testing environment). 2. User enters invalid credentials and submits the login form *for the very first time (in a given period of time)*. 3. *Expected*: CAS shows "Invalid name or password" or similar to the user. 4. *Actual*: CAS shows "You've entered the wrong password for the user too many times. You've been throttled." I couldn't find this reported anywhere, yet the issue's *reason *seems to be quite an evident shortcoming in the CAS Login Web Flow definition: - there is this *seemingly unnecessary* transition from "failed login form submission" back to the very beginning of the login flow - which immediately launches the SPNEGO decision step, which sends the appropriate status 401 and WWW-Authenticate <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate> header to the browser again - upon this, browser reacts according to the specs, i.e. re-posts the login form immediately with a corresponding Authorization header (caution: this second request is not visible in browser's network console) - as this happens within a few (tens of) milliseconds, the Failure throttling mechanism evaluates this as misbehavior and blocks the user as described above I wonder if anybody also experienced this issue. And if so, what was your solution? Altering the web flow, altering the SPNEGO decision action class to remember its last decision, or something else? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/53df577b-33a8-4639-acb1-266333a3581dn%40apereo.org.
