Hmm, it doesn't seem reasonable for an authentication system to not be
throttled. Any ideas on why it's not on by default?
I attempted to provide an explanation here:
http://jasig.github.io/cas/planning/Security-Guide.html#login_throttling
Short answer: in terms of security, throttling is best applied to
back-end authentication stores directly. Use the CAS feature as a
second-best approach. Keeping it off by default seems consistent with
that advice.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
