> As you can see from my configuration, I want to allow up to 10 failed login > attempts in one minute. I tried it out, but was blocked after only 3 > attempts.
I am responsible for this behavior: https://issues.jasig.org/browse/CAS-1107 I hope I can convince you that it is indeed an improvement. The throttles enforce a _rate_ defined in failed attempts per minute. You configured 10/minute, which is one authentication every six seconds. Thus if you attempted even two successively in less than six seconds, the throttle flag would be set, and the third attempt would fail. Waiting more than six seconds for a subsequent authentication would allow the flag to be cleared and the authentication to proceed. The discussion on the issue goes into further detail and analysis of the behavior; review the unit tests for the gory details. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
