Thank you all for your advices, it's really give me a lot of
inspirations :-)
Considering that most of our clients are in-home guys using ADSL
instead of sitting behind a firewall of a big company, the chance
they share same IP address are rather small. So it may suitable for
me to use "ThrottledSubmissionByIpAddressHandlerInterceptorAdapter"
for now.
I think both 'IP' and 'User' way have their pros and cons.
Ole's concept for banning the submission by user is an alternative
way to achieve the similar goal. And it may give user a better
experience.
From Ole's reply I didn't find the impl method to identify each
'user', I guess it's using the session or the 'username' the user
entered in the login form.
No matter how it's implemented, banned the request by 'user' has
another problem: it cannot protect the CAS server from DDOS attack,
if an attacker write a tcp program and sending a large amount of
random generated username/password(and surely he/she can re-establish
session each time), the server cannot recognize it as the same user
and it will have to deal with those garbage infos, and make server
stop responding to normal users - actually that's what really
happened in our company recently.
The IP way is obviously safer under this circumstance. Certainly if
the attcker is really working hard, the IP address can also be faked,
but our firewall can
detect most of those forged tcp packages.
So, In my opinion, the IP way is safer and the 'User' way is better
in user experience. For OUR COMPANY, since the CAS server now bearing
a dozen of universites login request, and considering the DDOS attack
happened before, I think
ThrottledSubmissionByIpAddressHandlerInterceptorAdapter is enough for
OUR COMPANY's PURPOSE.
BTW, The following default value in
ThrottledSubmissionByIpAddressHandlerInterceptorAdapter seems
resonable to make it function properly. 100 thresshold will be enough
for us even if behind one IP there's hundreds of users.
/** Default value for the failure threshhold before you're locked
out. */
36
private static final BigInteger DEFAULT_FAILURE_THRESHHOLD =
BigInteger
37
.valueOf(100);
38
39
/** The default timeout (in seconds) to clear one failure
attempt. */
40
private static final int DEFAULT_FAILURE_TIMEOUT = 60
I'll try to use
ThrottledSubmissionByIpAddressHandlerInterceptorAdapter soon and if
there's any problem I'll report it here :-)
Thank you all for your helps~~
Best Regards,
Li Wei Nan
Le 2008-2-9 à 上午12:15, Ole Ersoy a écrit :
I've been toying with the idea of making a filter as well. I think
it could be done by creating a CAS ServletContextLister that
creates a data structure for storing:
- user
- number of attempts
- time of last attempt
The filter then grabs this data structure from the CAS
ServletContext and uses it like this:
If a user has made an attempt to login within say the last 15
minutes, the number of attempts is incremented, given that it's not
already at the max. If it's at the max then the user gets a
message saying that they have to wait X minutes before trying to
login again. If the user has made a login attempt before, but the
attempt was made more than 15 minutes ago, then the filter resets
the number of attempts to 1, and the cycle starts over again.
If this were made as a component to CAS it should probably be an
Action that is invoked before the initialFlowSetup. So if user is
allowed to attempt to login, then the next step is the
initialFlowSetup, otherwise it's the too many attempts view-state.
Cheers,
- Ole
Le 2008-2-8 à 下午11:48, Ole Ersoy a écrit :
Scott,
I did some research a while back, and one of the concerns regarding
restrictions by IP is that a large number of users may sit behind a
common IP / gateway / proxy, and that that IP will come through as
the IP doing something funky. So if that IP is blocked, then
there's a possibility that other users will be automatically
blocked as well. Do you know if the interceptor mentioned below
solves this concern by chance?
Thanks,
- Ole
Scott Battaglia wrote:
You may be able to use something like this:
http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-
server-core/src/main/java/org/jasig/cas/web/support/
ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java?r=42053
It hasn't been heavily tested but its supposed to restrict number of
requests by IP Address. If you do try and use it, please feel
free to
provide us with any feedback or improvements :-)
-Scott
On Feb 8, 2008 12:03 AM, ??? <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Thanks for your advice Ole, I've done some researches on
Geronimo and it
seems overkill to me.
It seems best for me to write a simple filter using session to
control the
attempting.
Thanks,
Li Wei Nan
----- Original Message -----
From: "Ole Ersoy" <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
To: "Yale CAS mailing list" <[email protected]
<mailto:[email protected]>>
Sent: Friday, February 08, 2008 4:26 AM
Subject: Re: Is there a way to protect login page against a
frequent
submit?
Hi Li,
You can do this with a servlet filter that intercepts cas login
requests.
You would have to get the principal user, see if they have
attempted to
login with a specified time period, and redirect them to another
page
explaining that they have made too many login attempts and that
they must
wait X minutes before attempting again. I think Geronimo has
something
like this built in, but I'm still looking around for a standalone
implementation.
Cheers,
- Ole
Li Wei Nan wrote:
Hi Everyone,
Is there a plug-in or something like custom view could be used in
cas-webapps to protect cas from malicious credential/principal
sniffer?
Or maybe there's some configuration I can do in tomcat to achieve
this goal which I don't know yet?
Thank you for your helps,
Li Wei Nan
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
---------------------------------------------------------------------
---
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas