|
Scoot,
Thank you for all.
We develop a temporary blockage of authentication. If a user
attempts a
bad authentication, it could not authenticate before Xs even with a
correct password.
We use an aop:aspectj (pointcut
org.jasig.cas.authentication.AuthenticationManager.authenticate)
Thanks,
Scott Battaglia a écrit :
Julien,
Obtaining an LT is only one additional step and not especially hard to
retrieve. People concerned about brute-force should either use
something in CAS to throttle IP requests (i.e. the sample code we have)
or something at their authentication source level (i.e. password
locking after too many failed attempts).
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Fri, Nov 28, 2008 at 3:28 AM, Julien
Marchal <[EMAIL PROTECTED]>
wrote:
Scott,
But in the web interface you have the ticket 'LT', which
complicates
things for an attack in the REST interface we can make brute force
attack more simply.
Thanks,
Scott Battaglia a écrit :
Pascal,
You should take the same concern with the RESTful API that you would
with the web UI as they can both be used to attempt to determine
passwords.
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
|
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas