Scott, I did some research a while back, and one of the concerns regarding restrictions by IP is that a large number of users may sit behind a common IP / gateway / proxy, and that that IP will come through as the IP doing something funky. So if that IP is blocked, then there's a possibility that other users will be automatically blocked as well. Do you know if the interceptor mentioned below solves this concern by chance?
Thanks, - Ole Scott Battaglia wrote: > You may be able to use something like this: > > http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java?r=42053 > > It hasn't been heavily tested but its supposed to restrict number of > requests by IP Address. If you do try and use it, please feel free to > provide us with any feedback or improvements :-) > > -Scott > > On Feb 8, 2008 12:03 AM, ??? <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Thanks for your advice Ole, I've done some researches on Geronimo and it > seems overkill to me. > It seems best for me to write a simple filter using session to > control the > attempting. > > Thanks, > Li Wei Nan > > ----- Original Message ----- > From: "Ole Ersoy" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > To: "Yale CAS mailing list" <[email protected] > <mailto:[email protected]>> > Sent: Friday, February 08, 2008 4:26 AM > Subject: Re: Is there a way to protect login page against a frequent > submit? > > > > Hi Li, > > > > You can do this with a servlet filter that intercepts cas login > requests. > > You would have to get the principal user, see if they have > attempted to > > login with a specified time period, and redirect them to another page > > explaining that they have made too many login attempts and that > they must > > wait X minutes before attempting again. I think Geronimo has > something > > like this built in, but I'm still looking around for a standalone > > implementation. > > > > Cheers, > > - Ole > > > > > > > > Li Wei Nan wrote: > >> Hi Everyone, > >> > >> Is there a plug-in or something like custom view could be used in > >> cas-webapps to protect cas from malicious credential/principal > sniffer? > >> > >> Or maybe there's some configuration I can do in tomcat to achieve > >> this goal which I don't know yet? > >> > >> Thank you for your helps, > >> > >> Li Wei Nan > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] <mailto:[email protected]> > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > > _______________________________________________ > > Yale CAS mailing list > > [email protected] <mailto:[email protected]> > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > > ------------------------------------------------------------------------ > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
