Xuejin, You should look into the ThrottledSubmissionByUpAddressHandlerInterceptorAdapter as a potential solution if not a basis for a customized solution to your problems.
HTH, A- REFERENCES: https://www.ja-sig.org/svn/cas3/tags/cas-3-3-3-final/cas-server-core/src/mai n/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterc eptorAdapter.java On 7/29/09 1:20 PM, "Xuejin Ruan" <[email protected]> wrote: > > Hi Ole, > > I need to implement something exactly like what you described below. Have > you created such a filter already? > > Thanks, > > Xuejin > > > ole ersoy wrote: >> >> I've been toying with the idea of making a filter as well. I think it >> could be done by creating a CAS ServletContextLister that creates a data >> structure for storing: >> >> - user >> - number of attempts >> - time of last attempt >> >> The filter then grabs this data structure from the CAS ServletContext and >> uses it like this: >> >> If a user has made an attempt to login within say the last 15 minutes, the >> number of attempts is incremented, given that it's not already at the max. >> If it's at the max then the user gets a message saying that they have to >> wait X minutes before trying to login again. If the user has made a login >> attempt before, but the attempt was made more than 15 minutes ago, then >> the filter resets the number of attempts to 1, and the cycle starts over >> again. >> >> If this were made as a component to CAS it should probably be an Action >> that is invoked before the initialFlowSetup. So if user is allowed to >> attempt to login, then the next step is the initialFlowSetup, otherwise >> it's the too many attempts view-state. >> >> Cheers, >> - Ole >> >> >> >> >> >> ??? wrote: >>> Thanks for your advice Ole, I've done some researches on Geronimo and it >>> seems overkill to me. >>> It seems best for me to write a simple filter using session to control >>> the >>> attempting. >>> >>> Thanks, >>> Li Wei Nan >>> >>> ----- Original Message ----- >>> From: "Ole Ersoy" <[email protected]> >>> To: "Yale CAS mailing list" <[email protected]> >>> Sent: Friday, February 08, 2008 4:26 AM >>> Subject: Re: Is there a way to protect login page against a frequent >>> submit? >>> >>> >>>> Hi Li, >>>> >>>> You can do this with a servlet filter that intercepts cas login >>>> requests. >>>> You would have to get the principal user, see if they have attempted to >>>> login with a specified time period, and redirect them to another page >>>> explaining that they have made too many login attempts and that they >>>> must >>>> wait X minutes before attempting again. I think Geronimo has something >>>> like this built in, but I'm still looking around for a standalone >>>> implementation. >>>> >>>> Cheers, >>>> - Ole >>>> >>>> >>>> >>>> Li Wei Nan wrote: >>>>> Hi Everyone, >>>>> >>>>> Is there a plug-in or something like custom view could be used in >>>>> cas-webapps to protect cas from malicious credential/principal sniffer? >>>>> >>>>> Or maybe there's some configuration I can do in tomcat to achieve >>>>> this goal which I don't know yet? >>>>> >>>>> Thank you for your helps, >>>>> >>>>> Li Wei Nan >>>>> _______________________________________________ >>>>> Yale CAS mailing list >>>>> [email protected] >>>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> -- Andrew Feller, Business System Programmer LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
