Hi folks - trying again here... There seems to be the 'right kind' of settings needed to get authentication throttling to work. I have currently defined it as 3 failures within 15 seconds.
cas.authn.throttle.usernameParameter= cas.authn.throttle.schedule.startDelay=10000 cas.authn.throttle.schedule.repeatInterval=20000 cas.authn.throttle.appcode=CAS cas.authn.throttle.failure.threshold=3 cas.authn.throttle.failure.code=AUTHENTICATION_FAILED cas.authn.throttle.failure.rangeSeconds=15 The problem is, after the second failed attempt within 6 seconds I get the 'access denied' message even though I hadn't even tried 3 times. In the logs it will report back that 3 failures had occurred. But that is not true. Now, CAS is behind a load balancer, but the IP address of the client is being preserved. If I change the values to be 5 failures within 5 seconds, the second attempt issue doesn't exist, and basically I can't trigger the throttling message to appear. If I add more time to the setting and make it 3 failures within 60 seconds, the same issue, the second failure will trigger 'access denied'. This is a test CAS server with nobody else using it so even if it was a load balancer issue only I am using/testing it at present. It's just strange to me. I was able to stop the second attempt issue by setting it to 10 failures within 60 seconds, but those settings are pointless for us. However, when tested after 10 equally spaced failure attempts within 60 seconds - it did successfully trigger the message. 2018-01-24 12:38:06,193 WARN [org.apereo.cas.web.support. AbstractThrottledSubmissionHandlerInterceptorAdapter] - <Throttling submission from [client-ip-here]. More than [3] failed login attempts within [15] seconds. Authentication attempt exceeds the failure threshold [3 ]> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cb0ffa0f-1fe5-4205-b141-167eeff7dfd0%40apereo.org.
