Hi Andrew, Thanks so much for the reply. Yes, I did look at ThrottledSubmissionByUpAddressHandlerInterceptorAdapter, however, this approach has a potential problem that it will shut out an entire IP address with potentially many users behind it. And I saw a proporal for an enhancement to this approach, something like "ThrottledSubmissionByIpAddressAndNetidHandlerInterceptorAdaptor". The proposal was brougth up in March 2009. Anybody has any ideas whether it is implemented already?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This Jira issue documents a proposed enhancement for CAS3. CAS has existing support for failed login attempt throttling via the ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java Sometimes it is desirable to throttle not only by IP address but by the (IP Address, NetId) tuple. This avoids shutting out an entire NATed IP address with potentially many users behind it (e.g., some campus wireless networks are NATed) on the basis of one user behind that NAT triggering the throttling behavior. At the cost of not throttling a few failed login attempts per user across many users, throttling based on the tuple (IP Address, NetID) will still throttle dictionary attacks against a particular user. The enhancement here proposed is to add a ThrottledSubmissionByIpAddressAndNetidHandlerInterceptorAdaptor The interceptor login preemptive failure behavior should be activated by a sufficient number of failed login attempts by a (NetId, IP Address) tuple during sufficiently short interval of time, with the threshold quantity and duration (or rate of "forgetting" failed attempts) configurable. When the preemptive login blocking behavior is activated, it should block attempts by the triggering tuple for a configurable duration of time. It should The interceptor should store its log of failed login attempts into an RDBMS (presumably via JPA, support for MySQL is desired) so that failed login attempts can be tracked and responded to across clustered CAS instances. The interceptor should log the IP address, timestamp, and NetId for both the triggering of the preemptive failure and for all login attempts during preemptive failure state. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Xuejin, You should look into the ThrottledSubmissionByUpAddressHandlerInterceptorAdapter as a potential solution if not a basis for a customized solution to your problems. HTH, A- REFERENCES: https://www.ja-sig.org/svn/cas3/tags/cas-3-3-3-final/cas-server-core/src/mai n/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterc eptorAdapter.java On 7/29/09 1:20 PM, "Xuejin Ruan" <[email protected]> wrote: > > Hi Ole, > > I need to implement something exactly like what you described below. Have > you created such a filter already? > > Thanks, > > Xuejin > > > ole ersoy wrote: >> >> I've been toying with the idea of making a filter as well. I think it >> could be done by creating a CAS ServletContextLister that creates a data >> structure for storing: >> >> - user >> - number of attempts >> - time of last attempt >> >> The filter then grabs this data structure from the CAS ServletContext and >> uses it like this: >> >> If a user has made an attempt to login within say the last 15 minutes, >> the >> number of attempts is incremented, given that it's not already at the >> max. >> If it's at the max then the user gets a message saying that they have to >> wait X minutes before trying to login again. If the user has made a >> login >> attempt before, but the attempt was made more than 15 minutes ago, then >> the filter resets the number of attempts to 1, and the cycle starts over >> again. >> >> If this were made as a component to CAS it should probably be an Action >> that is invoked before the initialFlowSetup. So if user is allowed to >> attempt to login, then the next step is the initialFlowSetup, otherwise >> it's the too many attempts view-state. >> >> Cheers, >> - Ole >> -- View this message in context: http://www.nabble.com/ThrottledSubmissionByIpAddressAndNetidHandlerInterceptorAdaptor----tp24725254p24725254.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
