Hi all, we have digged deeper into this throttling stuff and it looks like when *blocking *is set to *true*, it currently effectively blocks *all* requests while blocking one request. This is given by how DefaultBucketConsumer.consume(final String key) <https://github.com/apereo/cas/blob/v7.3.1/support/cas-server-support-bucket4j-core/src/main/java/org/apereo/cas/bucket4j/consumer/DefaultBucketConsumer.java#L33> method is currently implemented: it firstly waits for acquiring a lock (if not obtained within 3 seconds, null is returned and NullPointerException is thrown in the calling code). Then it executes all the Bucket4j processing, including pausing (parking) the thread if blocking is enabled, *within that lock*. So we are not really sure about this mechanism and we always rather set blocking to *false* where it makes sense.
Another a little bit confusing point is the documentation part which Community shared here. Why? Because Bucket instance for capacity throttling *per "client IP address"* seems to be actually created just for Throttling Authentication Attempts - Capacity <https://apereo.github.io/cas/7.3.x/authentication/Configuring-Authentication-Throttling-Capacity.html>. For Simple Multifactor Authentication - Rate Limiting <https://apereo.github.io/cas/7.3.x/mfa/Simple-Multifactor-Authentication-RateLimiting.html> ("rate-limiting for token requests"), the Bucket's key seems to be *username* (principal.id) - see CasSimpleMultifactorSendTokenAction#89 <https://github.com/apereo/cas/blob/v7.3.1/support/cas-server-support-simple-mfa-core/src/main/java/org/apereo/cas/mfa/simple/web/flow/CasSimpleMultifactorSendTokenAction.java#L89> . The throttling is generally quite a tricky area, so further clarifications are surely welcome. Best regards Petr On Tuesday, 2 December 2025 at 06:34:31 UTC+1 CAS Community wrote: > Docs: "Please note that the bucket allocation strategy is specific to the > client IP address." > > On Tuesday, August 19, 2025 at 7:32:14 AM UTC-7 [email protected] wrote: > >> Hi, >> >> I have been trying to implement the rate limiting feature of Simple MFA. >> (with version 7.2.x) >> I set the blocking to true: >> cas.authn.mfa.simple.bucket4j.blocking=true >> >> Tested with 1 client, it behaves as expected, it is blocked until token >> is available. >> The outcome of testing with 2 clients is interesting. I used different >> browser with different principals. When it is blocking for one user, >> surprisingly it is also blocking the other user. >> >> I am not sure if this is the expected behavior or is there something else >> I missed in the config. >> >> Thanks >> > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e08161fb-be0c-46df-8430-d5cb6c30bdaen%40apereo.org.
