This is timely. I had started composing a message about occasional looping on our 3.5.2 servers.
In one scenario, the /login path is hit repeatedly by a user, sometimes many times per second, with STs being generated and sent back to the CAS client. For some reason, the CAS client seems unable to recognize/process the ST on the redirect, as evidenced by lack of call back to CAS servers to validate the ST and sometimes the ST showing up in 'Referer' in server logs. This initially looks like a CAS client bug or maybe strange browser config. In another scenario, I can see a user clearly has an active CAS session (TGT) and successfully authenticated to the CAS client (ST generation/validation), but clicks on something that starts looping to /login. In this case, it looks like _no_ ST is being generated and sent back to the CAS client. If no ST is generated, even in light of a valid session, this could be evidence of a CAS server or maybe Spring Web Flow bug. That said, this CAS client is using 'gateway', so a browser restart and the CAS client not recognizing that could explain that, as well. The first scenario can lead (and has) to memory exhaustion. We are using Ehcache with a spill-to-disk safety valve, and it tries like a champ to keep up. However, the sheer number requests with replication puts peer nodes at risk. The second scenario simply ties up resources (load). Anyhow, these scenarios didn't seem to be completely covered by the existing CAS login rate filter (maybe I should review). Since I have little control over the CAS clients, I've started working out understanding mechanics of one of the example rate limit (anti-DoS) filters in Apache httpd mod_security (applied only to /login path). This rule set operates by detecting (configurable) burst and long term rate activity and denying (429 Too Many Requests) or delaying access for a configurable period of time, or redirecting to e.g. an error page. The trick here is to profile normal from abnormal activity; I'm trying to find a clean 'break' in /login request rate by IP between normal and aberrant use. Tom. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
