Nathan, You are right in that there is a ThrottledSubmissionByIpAddressHandlerInterceptorAdapter feature within CAS 3.X, however this is not configured by default, so it should not be a factor. It works by the deployer specifying a number of attempts before the user is locked out. The threshold for # of attempts is set to 100 where the amount of time for a single failed attempt to be cleared is 60 seconds by default.
If anyone is interested in the source code behind this, you can view it here: https://www.ja-sig.org/svn/cas3/tags/cas-3-3-3-final/cas-server-core/src/mai n/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterc eptorAdapter.java Thanks for the additional thought, A- On 8/17/09 2:34 PM, "Nathan Kopp" <[email protected]> wrote: > You might be running into a lockout security feature that blocks your IP > address because of too many failed login attempts. I know such a feature > existed in CAS 2.x maybe it still exists in 3.3. > > > -Nathan > > > From: Andrew Feller [mailto:[email protected]] > Sent: Monday, August 17, 2009 3:25 PM > To: [email protected] > Subject: Re: [cas-user] CAS login Page refreshes after 5th failed login try. > > Israel, > > Hrmmm this is going to be an reaching thought, but what is the session timeout > for JBoss / Tomcat set to? By default, CAS stores some information within the > user¹s session for login purposes. I am not sure what happens whenever you > exceed the session timeout yet submit the form successfully. If you have the > Web Developer plugin for Firefox, you will see there are hidden fields for > ³lt² and ³eventId². The ³lt² value is used by Spring Web Flow to associate > you with an existing ³conversation². > > Anyhow, other than that, I cannot think of why this is going on. I have > received the default view in CAS 3.3.1 and do not see any Javascript to cause > a redirect like you mentioned. Aside from the timeout issue I mentioned > above, the only other thoughts I have are 1) Hitting the reset button or 2) > custom code mucking things up. > > HTH, > A- > > > On 8/17/09 1:43 PM, "Israel Ben Guilherme Fonseca" <[email protected]> > wrote: > CAS version 3.3.1 > Java version 1.6.10 > Container: JBoss 4.2.3 GA > > After the 5th try, the page just get cleaned. Example: > 1. Setup demo cas.war in servlet container with NO CHANGES > 2. Request /login servlet > 3. Input invalid credentials #1 => Warning message about invalid credentials > 4. Input invalid credentials #2 => Warning message about invalid credentials > 5. Input invalid credentials #3 => Warning message about invalid credentials > 6. Input invalid credentials #4 => Warning message about invalid credentials > 7. Input valid credentials #5 => Some type of Javascript redirect occurs where > you are sent back to the /login but the message is gone. (Even with valid > credentials, nothing happens) > > 2009/8/17 Andrew Feller <[email protected]> > Israel, > > So let me see if I understand this correctly: > > CAS version: 3.1.0 > Java version: 1.X.X > Servlet container: XXXXXXX > Servlet container version: X.X.X > > STEPS TO REPRODUCE BEHAVIOR > 1. Setup demo cas.war in servlet container with NO CHANGES > 2. Request /login servlet > 3. Input invalid credentials #1 => Warning message about invalid credentials > 4. Input invalid credentials #2 => Warning message about invalid credentials > 5. Input invalid credentials #3 => Warning message about invalid credentials > 6. Input invalid credentials #4 => Warning message about invalid credentials > 7. Input invalid credentials #5 => Warning message about invalid credentials > 8. Some type of Javascript redirect occurs where you are sent back to the > /login but the message is gone > > Is this correct? > > > > On 8/17/09 12:30 PM, "Israel Ben Guilherme Fonseca" <[email protected] > <http://[email protected]> > wrote: > Andrew, i did test it with a plain "cas.war" and got the same behavior. I > think it's happening with all fresh CAS installations. > > 2009/8/17 Andrew Feller <[email protected] <http://[email protected]> > > Zeeshan, > > The default view doesn't have any special logic like this as far as I know. > However as we don't know the extent of your changes, it is difficult to > troubleshoot this blindly. > > My knee jerk thoughts: > > 1. Have you modified the Spring Web Flow process to include any additional > actions? > 2. Have you rewired existing Spring Web Flow actions? > 3. What type of Javascript changes have you made to the CAS login page? > 4. Have you tried installing the Live HTTP Headers plugin for Firefox to > record HTTP traffic to investigate whether this is due to the server or > Javascript? > > HTH, > A- > > On 8/17/09 9:45 AM, "israel.bgf" <[email protected] > <http://[email protected]> > wrote: > >> > >> > I'm with the exactly same problem, and i'm looking for a solution too. Did >> > you find something Zeeshan? >> > >> > zeeshanilyas wrote: >>> >> >>> >> Hi, >>> >> >>> >> I am using CAS 3.1 to implement Single Sign On functionality. I have >>> >> modified CAS according to our requirements which include adding password >>> >> Reset functionality and password expiry mechanisms. All is working fine >>> >> but during testing I noticed that if you repeatedly try to login with >>> >> wrong credentials then on the 5th try the login screen refreshes. I am >>> >> using the default screen with some changes. >>> >> >>> >> Is there anyway to stop this behaviour. Is it a default spring mvc >>> >> behaviour or is this part of the CAS specification (there is no mention of >>> >> this behaviour in the documentation). >>> >> >>> >> I will appreciate it if someone can point to the right direction >>> regarding >>> >> this. >>> >> >>> >> Kind Regards, >>> >> >>> >> Zeeshan >>> >> > > -- > Andrew Feller, Business System Programmer > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > > > -- > You are currently subscribed to [email protected] > <http://[email protected]> as: [email protected] > <http://[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- Andrew Feller, Business System Programmer LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
