Hi,
I'm using successfully throttling login attempts with
"InspektrThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter"
in CAS 3.5.
I have seen its only checks GET requests:
public abstract class AbstractThrottledSubmissionHandlerInterceptorAdapter
...{
...
public final boolean preHandle(final HttpServletRequest request, final
HttpServletResponse response, final Object o) throws Exception {
// we only care about post because that's the only instance where
we can get anything useful besides IP address.
if (!"POST".equals(request.getMethod())) {
return true;
}
...
}
Why doesn't check GET request? Its allows force brute attacks using URLs
like this:
http://www.casserver.com/cas/login?username=MYUSER&password=MYPASSWORD<=LT-8-ccvtXiggP3G3NifIJcZDaXec2kNCQq&execution=e3s1&_eventId=submit&submit=Entrar
Solutions? Change preHandle method? Change something for only allow POST
request to CAS? How?
Thanks in advance.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
