I confess I don't fully understand your current solution, I had a brief look
at your posted code but not enough for understanding.
Anyway, I think the best solution to this problem would be a "threshold" on
the number of service tickets in play for a given TGT and service.
Validation or expiry of a service ticket removes it from consideration.
Perhaps this is your solution?
Danny B. wrote:
>
> Actually just the request, the reason for this, is a previous bug.
>
> While we were testing, the simple f5(refresh) test, we seem to be getting
> database error, after 150 tickets. The blob for the registered service int
> TGT, was to big to be saved to the database. This again gave some errors
> with single log out...
> So we switched the key from ticket to service( map<ticket,service> to
> map<service,ticket>,) we always keep our newsted ticket and deleted the
> old one. This solved our problem, and none of the system had any problems
> with this new solution.
>
> Kind regards,
>
> Danny
>
>
> dale77 wrote:
>>
>>
>> Does your solution use the number of unvalidated tickets over a
>> timeframe or just the number of tickets requested over a timeframe for
>> abuse detection?
>>
>> As long as the ticket is validated by the client, it should not count for
>> abuse. Applications which choose to not maintain thier own session, and
>> rely on a ticket for every request will become "abusers" unless ticket
>> validation decrements the use count.
>>
>>
>> Danny B. wrote:
>>>
>>> Solution:
>>> New table with following values:
>>> Ticket Granting Ticket id, RegisteredService, TimeStamp,
>>> #timesUsedSinceTimeStamp,
>>>
>>> TimeStamp: This is set every x amount of seconds/minutes
>>>
>>> pseudo code
>>> <code>
>>> if( Timestamp > (currentTime - measurementTime){
>>> RegisteredService.timesUsedSinceTimeStamp =+ 1;
>>> }
>>> else{
>>> TimeStamp = currentTime ;
>>> }
>>> if ( RegisteredService.timesUsedSinceTimeStamp > X*){
>>> redirect to ErrorPage
>>> REPORT TO ADMIN
>>> }
>>>
>>> X(being the maximum of used within a certain time frame)
>>> </code>
>>>
>>> I am planning to implement this solution this week.
>>> The source code will be posted.
>>>
>>> I would just like to hear your advice, on how to implement this
>>> solution.
>>> So you don't have to change much, if you want to import it in cas. <==
>>> goal
>>>
>>> Kind regards,
>>>
>>> Danny
>>>
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/possible-solution-preventing-abuse-cas-infinite-loop-redirect-service-tp23389145p23549412.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
