Scott,

I did some research a while back, and one of the concerns regarding 
restrictions by IP is that a large number of users may sit behind a common IP / 
gateway / proxy, and that that IP will come through as the IP doing something 
funky.  So if that IP is blocked, then there's a possibility that other users 
will be automatically blocked as well.  Do you know if the interceptor 
mentioned below solves this concern by chance?

Thanks,
- Ole




Scott Battaglia wrote:
> You may be able to use something like this:
> 
> http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java?r=42053
> 
> It hasn't been heavily tested but its supposed to restrict number of 
> requests by IP Address.  If you do try and use it, please feel free to 
> provide us with any feedback or improvements :-)
> 
> -Scott
> 
> On Feb 8, 2008 12:03 AM, ??? <[EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>> wrote:
> 
>     Thanks for your advice Ole, I've done some researches on Geronimo and it
>     seems overkill to me.
>     It seems best for me to write a simple filter using session to
>     control the
>     attempting.
> 
>     Thanks,
>     Li Wei Nan
> 
>     ----- Original Message -----
>     From: "Ole Ersoy" <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>     To: "Yale CAS mailing list" <[email protected]
>     <mailto:[email protected]>>
>     Sent: Friday, February 08, 2008 4:26 AM
>     Subject: Re: Is there a way to protect login page against a frequent
>     submit?
> 
> 
>      > Hi Li,
>      >
>      > You can do this with a servlet filter that intercepts cas login
>     requests.
>      > You would have to get the principal user, see if they have
>     attempted to
>      > login with a specified time period, and redirect them to another page
>      > explaining that they have made too many login attempts and that
>     they must
>      > wait X minutes before attempting again.  I think Geronimo has
>     something
>      > like this built in, but I'm still looking around for a standalone
>      > implementation.
>      >
>      > Cheers,
>      > - Ole
>      >
>      >
>      >
>      > Li Wei Nan wrote:
>      >> Hi Everyone,
>      >>
>      >> Is there a plug-in or something like custom view could be used in
>      >> cas-webapps to protect cas from malicious credential/principal
>     sniffer?
>      >>
>      >> Or maybe there's some configuration I can do in tomcat to achieve
>      >> this goal which I don't know yet?
>      >>
>      >> Thank you for your helps,
>      >>
>      >> Li Wei Nan
>      >> _______________________________________________
>      >> Yale CAS mailing list
>      >> [email protected] <mailto:[email protected]>
>      >> http://tp.its.yale.edu/mailman/listinfo/cas
>      >>
>      > _______________________________________________
>      > Yale CAS mailing list
>      > [email protected] <mailto:[email protected]>
>      > http://tp.its.yale.edu/mailman/listinfo/cas
>      >
> 
> 
>     _______________________________________________
>     Yale CAS mailing list
>     [email protected] <mailto:[email protected]>
>     http://tp.its.yale.edu/mailman/listinfo/cas
> 
> 
> 
> 
> -- 
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to