Andrew, well it looks like a javascript, but it could be just some server stuff (I'm using firebug and it shows a request even when the page get cleared), I don't think that would have an javascript saying: "After the 5th try, just ignore it", it would be very strange. I really think that's server side stuff.
When i put an invalid credentials i got this in the console: 17:33:55,903 INFO [STDOUT] List was empty. 17:33:55,903 INFO [STDOUT] 2009-08-17 17:33:55,903 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler failed to authenticate the user which provided the following credentials: [username: 432423]> That's ok, just telling me that the user wasnt found. I got this ouput for every try, but in the 5th try I don't get an output. Looks like the ldap-acess got just ignored (again, it sounds like server-side "problem"). About the session timeout, it's 30 min for JBoss. And i'm not trying 4 attempts and waiting 31 minutes to do another one, it's 5 sequencial attempts (less than 1 minute interval). What version of Cas / Servlet Container and Browser are you using Andrew? Did you tested with a fresh default CAS login view to see if this issue happens only with jboss? Thanks for the patience, Israel 2009/8/17 Andrew Feller <[email protected]> > Nathan, > > You are right in that there is a > ThrottledSubmissionByIpAddressHandlerInterceptorAdapter feature within CAS > 3.X, however this is not configured by default, so it should not be a > factor. It works by the deployer specifying a number of attempts before the > user is locked out. The threshold for # of attempts is set to 100 where the > amount of time for a single failed attempt to be cleared is 60 seconds by > default. > > If anyone is interested in the source code behind this, you can view it > here: > https://www.ja-sig.org/svn/cas3/tags/cas-3-3-3-final/cas-server-core/src/main/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java > > Thanks for the additional thought, > A- > > > > On 8/17/09 2:34 PM, "Nathan Kopp" <[email protected]> wrote: > > You might be running into a lockout security feature that blocks your IP > address because of too many failed login attempts. I know such a feature > existed in CAS 2.x… maybe it still exists in 3.3. > > > -Nathan > > > *From:* Andrew Feller [mailto:[email protected] <[email protected]>] > *Sent:* Monday, August 17, 2009 3:25 PM > *To:* [email protected] > *Subject:* Re: [cas-user] CAS login Page refreshes after 5th failed login > try. > > Israel, > > Hrmmm this is going to be an reaching thought, but what is the session > timeout for JBoss / Tomcat set to? By default, CAS stores some information > within the user’s session for login purposes. I am not sure what happens > whenever you exceed the session timeout yet submit the form successfully. > If you have the Web Developer plugin for Firefox, you will see there are > hidden fields for “lt” and “eventId”. The “lt” value is used by Spring Web > Flow to associate you with an existing “conversation”. > > Anyhow, other than that, I cannot think of why this is going on. I have > received the default view in CAS 3.3.1 and do not see any Javascript to > cause a redirect like you mentioned. Aside from the timeout issue I > mentioned above, the only other thoughts I have are 1) Hitting the reset > button or 2) custom code mucking things up. > > HTH, > A- > > > On 8/17/09 1:43 PM, "Israel Ben Guilherme Fonseca" <[email protected]> > wrote: > CAS version 3.3.1 > Java version 1.6.10 > Container: JBoss 4.2.3 GA > > After the 5th try, the page just get cleaned. Example: > > 1. Setup demo cas.war in servlet container with NO CHANGES > 2. Request /login servlet > 3. Input invalid credentials #1 => Warning message about invalid > credentials > 4. Input invalid credentials #2 => Warning message about invalid > credentials > 5. Input invalid credentials #3 => Warning message about invalid > credentials > 6. Input invalid credentials #4 => Warning message about invalid > credentials > 7. Input *valid* credentials #5 => Some type of Javascript redirect > occurs where you are sent back to the /login but the message is gone. (Even > with valid credentials, nothing happens) > > > 2009/8/17 Andrew Feller <[email protected]> > Israel, > > So let me see if I understand this correctly: > > CAS version: 3.1.0 > Java version: 1.X.X > Servlet container: XXXXXXX > Servlet container version: X.X.X > > STEPS TO REPRODUCE BEHAVIOR > > 1. Setup demo cas.war in servlet container with NO CHANGES > 2. Request /login servlet > 3. Input invalid credentials #1 => Warning message about invalid > credentials > 4. Input invalid credentials #2 => Warning message about invalid > credentials > 5. Input invalid credentials #3 => Warning message about invalid > credentials > 6. Input invalid credentials #4 => Warning message about invalid > credentials > 7. Input invalid credentials #5 => Warning message about invalid > credentials > 8. Some type of Javascript redirect occurs where you are sent back to > the /login but the message is gone > > > Is this correct? > > > > On 8/17/09 12:30 PM, "Israel Ben Guilherme Fonseca" <[email protected]< > http://[email protected]> > wrote: > Andrew, i did test it with a plain "cas.war" and got the same behavior. I > think it's happening with all fresh CAS installations. > > 2009/8/17 Andrew Feller <[email protected] <http://[email protected]> > > Zeeshan, > > The default view doesn't have any special logic like this as far as I know. > However as we don't know the extent of your changes, it is difficult to > troubleshoot this blindly. > > My knee jerk thoughts: > > 1. Have you modified the Spring Web Flow process to include any additional > actions? > 2. Have you rewired existing Spring Web Flow actions? > 3. What type of Javascript changes have you made to the CAS login page? > 4. Have you tried installing the Live HTTP Headers plugin for Firefox to > record HTTP traffic to investigate whether this is due to the server or > Javascript? > > HTH, > A- > > On 8/17/09 9:45 AM, "israel.bgf" <[email protected] < > http://[email protected]> > wrote: > > > > > I'm with the exactly same problem, and i'm looking for a solution too. > Did > > you find something Zeeshan? > > > > zeeshanilyas wrote: > >> > >> Hi, > >> > >> I am using CAS 3.1 to implement Single Sign On functionality. I have > >> modified CAS according to our requirements which include adding password > >> Reset functionality and password expiry mechanisms. All is working fine > >> but during testing I noticed that if you repeatedly try to login with > >> wrong credentials then on the 5th try the login screen refreshes. I am > >> using the default screen with some changes. > >> > >> Is there anyway to stop this behaviour. Is it a default spring mvc > >> behaviour or is this part of the CAS specification (there is no mention > of > >> this behaviour in the documentation). > >> > >> I will appreciate it if someone can point to the right direction > regarding > >> this. > >> > >> Kind Regards, > >> > >> Zeeshan > >> > > -- > Andrew Feller, Business System Programmer > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > > > -- > You are currently subscribed to [email protected] < > http://[email protected]> as: [email protected] < > http://[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > Andrew Feller, Business System Programmer > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
