On Thu, Sep 15, 2011 at 12:28 PM, Ourada, John <[email protected]> wrote:
> Was reading through the Invalid Login Attempt Throttling and had a couple > of thoughts.**** > > ** ** > > Refer to page: > https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts**** > > ** ** > > First, it took me a little to realize that with the InMemory setup that the > failureRangeInSeconds is meaningless except when logging the warning. Some > mail archive searching confirmed that. > Added a note for you to this effect in wiki page. > **** > > ** ** > > Second, I need to do throttling in an HA environment:**** > > ** ** > > Here is a snippet from the documentation:**** > > For multi-node CAS instances there is one option that combines the auditing > capabilities of the Inspektr package with the throttling package (and relies > on a database).**** > > We don’t use a DB for our audit logs since our Support teams use Splunkr > for their log search and reporting needs. I also can’t get an HA db and > don’t want to support it myself.**** > > ** ** > > Since we are using Terracotta, I thought I would give it a try and it seems > to be working well. I see the ConcurrentHashMap in Terracotta and I see > objects going into it when I have a failed login attempt. I have tried > going to each tomcat instance individually and everything works as expected. > **** > > ** ** > > For the auto decrement, I set it to 2*I (I is the expected interval). If I > want the decrement to be 120s, I set each server (I have 2) to decrement > every 240s so in effect I get something close to every 120s.**** > > ** ** > > Does this seem like a good idea to continue or does anybody see an issue > that I haven’t considered.**** > > ** ** > > Thanks!**** > > -John**** > > ** ** > > Tc-config-tomcat.xml (snippet)**** > > <roots>**** > > <!-- Defined Shared Roots -->**** > > <root>**** > > <!--The In-Memory Ticket Registry-->**** > > > <field-name>org.jasig.cas.ticket.registry.DefaultTicketRegistry.cache</field-name> > **** > > </root>**** > > <root>**** > > <!-- The in-Memory throttle cache -->**** > > > <field-name>org.jasig.cas.web.support.AbstractInMemoryThrottledSubmissionHandlerInterceptorAdapter.ipMap</field-name> > **** > > </root>**** > > </roots>**** > > ** ** > > throttleInterceptorTrigger.xml**** > > <?xml version="1.0" encoding="UTF-8"?>**** > > <beans xmlns="http://www.springframework.org/schema/beans"**** > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"**** > > xmlns:p="http://www.springframework.org/schema/p"**** > > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>**** > > ** ** > > <bean id="throttleInterceptor" > class="org.jasig.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter" > **** > > p:failureRangeInSeconds="120"**** > > p:failureThreshold="3" />**** > > ** ** > > <bean id="throttleInterceptorJobDetail" > class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean" > **** > > p:targetObject-ref="throttleInterceptor"**** > > p:targetMethod="decrementCounts" />**** > > ** ** > > <bean id="periodicThrottleCleanerTrigger" > class="org.springframework.scheduling.quartz.SimpleTriggerBean"**** > > p:jobDetail-ref="throttleInterceptorJobDetail"**** > > p:startDelay="0"**** > > p:repeatInterval="40000" />**** > > </beans>**** > > ** ** > > Picture of Terracotta Console**** > > **** > > ** ** > > ** ** > > ** ** > > ** ** > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<image001.png>>
