Hi Ole, I need to implement something exactly like what you described below. Have you created such a filter already?
Thanks, Xuejin ole ersoy wrote: > > I've been toying with the idea of making a filter as well. I think it > could be done by creating a CAS ServletContextLister that creates a data > structure for storing: > > - user > - number of attempts > - time of last attempt > > The filter then grabs this data structure from the CAS ServletContext and > uses it like this: > > If a user has made an attempt to login within say the last 15 minutes, the > number of attempts is incremented, given that it's not already at the max. > If it's at the max then the user gets a message saying that they have to > wait X minutes before trying to login again. If the user has made a login > attempt before, but the attempt was made more than 15 minutes ago, then > the filter resets the number of attempts to 1, and the cycle starts over > again. > > If this were made as a component to CAS it should probably be an Action > that is invoked before the initialFlowSetup. So if user is allowed to > attempt to login, then the next step is the initialFlowSetup, otherwise > it's the too many attempts view-state. > > Cheers, > - Ole > > > > > > ??? wrote: >> Thanks for your advice Ole, I've done some researches on Geronimo and it >> seems overkill to me. >> It seems best for me to write a simple filter using session to control >> the >> attempting. >> >> Thanks, >> Li Wei Nan >> >> ----- Original Message ----- >> From: "Ole Ersoy" <[email protected]> >> To: "Yale CAS mailing list" <[email protected]> >> Sent: Friday, February 08, 2008 4:26 AM >> Subject: Re: Is there a way to protect login page against a frequent >> submit? >> >> >>> Hi Li, >>> >>> You can do this with a servlet filter that intercepts cas login >>> requests. >>> You would have to get the principal user, see if they have attempted to >>> login with a specified time period, and redirect them to another page >>> explaining that they have made too many login attempts and that they >>> must >>> wait X minutes before attempting again. I think Geronimo has something >>> like this built in, but I'm still looking around for a standalone >>> implementation. >>> >>> Cheers, >>> - Ole >>> >>> >>> >>> Li Wei Nan wrote: >>>> Hi Everyone, >>>> >>>> Is there a plug-in or something like custom view could be used in >>>> cas-webapps to protect cas from malicious credential/principal sniffer? >>>> >>>> Or maybe there's some configuration I can do in tomcat to achieve >>>> this goal which I don't know yet? >>>> >>>> Thank you for your helps, >>>> >>>> Li Wei Nan >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- View this message in context: http://www.nabble.com/Is-there-a-way-to-protect-login-page-against-a-frequent-submit--tp15326890p24724802.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
