Hi Jon, The in-memory throttling approach in 3.4+ versions remains an unresolved issue reported on fairly recently: https://issues.jasig.org/browse/CAS-1107
Therefore, the directions you followed need remediation in the interim - the outstanding issue is now referenced in context and configurations for 3.4 were removed. I believe the alternate Inspektr approach should still be viable across versions. Regards, Brian On Tue, May 22, 2012 at 2:57 PM, Jon Detert <[email protected]>wrote: > ----- Original Message ----- > > From: "Jon Detert" <[email protected]> > > To: [email protected] > > Sent: Thursday, May 17, 2012 9:31:53 AM > > Subject: [cas-user] trying to throttle failed login attempts > > > > Hello, > > > > In order to help thwart brute-force password cracking, I'd like my > > cas v3.4.11 login page to throttle failed login attempts. > > > > I followed the directions here: > > https://wiki.jasig.org/display/CASUM/Throttling+Login+Attempts > > using the 'In-Memory Approach', but as far as I can tell, no > > throttling is being done: > > Still not working. How is it supposed to work? The wiki doc says > you should see an entry in the cas.log that start with: > "WARN > [org.jasig.cas.web.support.InMemoryThrottledSubmissionByIpAddressHandlerInterceptorAdapter]". > There are no such entries in my cas.log. > > The wiki doc implies that the 'throttle' is in the form of denying service > once more than yy failed attempts are made within zz seconds, and that this > 'count' is decremented in some unspecified way. However, it's not clear > where yy and zz are defined. In the example > spring-configuration/throttleInterceptorTrigger.xml for cas 3.4.x, it looks > like yy are zz are defined in the "throttleInterceptor" bean, in the form > of a 'p:failureRangeInSecond=120' and a 'p:failureThreshold=3', yet there's > a comment that "Note this parameter has no effect on in-memory throttling; > value is used in logging however". So, how does the cas server determine > when throttling should occur? > > Thanks, > > Jon > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
