----- Original Message ----- > From: "Jon Detert" <[email protected]> > To: [email protected] > Sent: Thursday, May 17, 2012 9:31:53 AM > Subject: [cas-user] trying to throttle failed login attempts > > Hello, > > In order to help thwart brute-force password cracking, I'd like my > cas v3.4.11 login page to throttle failed login attempts. > > I followed the directions here: > https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts > using the 'In-Memory Approach', but as far as I can tell, no > throttling is being done:
Still not working. How is it supposed to work? The wiki doc says you should see an entry in the cas.log that start with: "WARN [org.jasig.cas.web.support.InMemoryThrottledSubmissionByIpAddressHandlerInterceptorAdapter]". There are no such entries in my cas.log. The wiki doc implies that the 'throttle' is in the form of denying service once more than yy failed attempts are made within zz seconds, and that this 'count' is decremented in some unspecified way. However, it's not clear where yy and zz are defined. In the example spring-configuration/throttleInterceptorTrigger.xml for cas 3.4.x, it looks like yy are zz are defined in the "throttleInterceptor" bean, in the form of a 'p:failureRangeInSecond=120' and a 'p:failureThreshold=3', yet there's a comment that "Note this parameter has no effect on in-memory throttling; value is used in logging however". So, how does the cas server determine when throttling should occur? Thanks, Jon -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
