Ahh, thank you. That helps a lot. I wish this were more explicit in the
documentation.
On Thu, Sep 17, 2020 at 03:32:40PM +0000, Ray Bon wrote:
Baron,
That throttle is a ratio. So you have 1 in 24s. It is triggered on every log
in attempt (in your case by same username - but test this), not after 4.
Ray
On Wed, 2020-09-16 at 16:36 -1000, Baron Fujimoto wrote:
I confirmed the overlay for the 403.html file.
Still don't understand *cas.authn.throttle.usernameParameter* though.
But worse, the observed behavior doesn't seem to match up with the properties
set though. Using:
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.failure.threshold=5
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=120
However, when I test, on just the second failed authention attempt with a
deliberately bad password, throttling is triggered and the following is logged:
WARN
[org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter]
- <Throttling submission from 192.10.10.10. More than 5 failed login attempts
within 120 seconds. Authentication attempt exceeds the failure threshold 5>
But there have definitely been fewer than 5 attempts for this IP address and
username key pair.
If I add trace logging for
InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter, I
can also see entries for keys:
TRACE
[org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter]
- <Removing entry for key 192.10.10.10;baron>
But nothing more specifically for how they are triggering the throttling policy.
Any suggestions?
On Thu, Sep 10, 2020 at 11:04:51AM -1000, Baron Fujimoto wrote:
Sorry, more questions:
I also tried setting the property *cas.authnofor throttle.failure.code* to
"AUTHENTICATION_FAILED_THROTTLED" in an attempt to make the cause for this
failure mode more apparent.
However, the string never shows up in the logs. I don't see any differences if I leave it
at the default(?) "AUTHENTICATION_FAILED" value.
Upon invoking throttling the UI presents the following in a somewhat funky font:
=====
YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!
We are sorry. You do not have permission to view this page.
You thought you could just get to file you wanted, right?
Wrong.
In closing, go away.
=====
Since this is... not ideal... for our environment, we'll need to edit this. I
assume this should be done via an overlay? It looks like this content is found
in .../templates/error/403.html file. I believe long ago we previously modified
404.html, and I find it in our
cas-overlay/target/classes/templates/error/404.html dir. Should the overlay
version of 403.html also be placed in the same dir?
Since it's invoking a general 403.html, I don't suppose there is a way to get
it to display a more specific page for the Throttling condition rather than a
generic 403?
On Thu, Sep 10, 2020 at 07:56:54AM +0200, Jérôme LELEU wrote:
Hi,
The value of the *cas.authn.throttle.usernameParameter* property must be
the name of the request parameter holding the username (from the login
form), which is "username".
Thanks.
Best regards,
Jérôme
Mahalo for the clarification! I'm assuming that the "username" value for
the cas.authn.throttle.usernameParameter is a general value for all users
and not a specific user, e.g. "alice" or "bob" (because that would be...
non-optimal)? Does it matter what the value for the
cas.authn.throttle.usernameParameter property is, or just that it has some
value? I.e., could it be set to a pseudo-boolean value, like "true" and
have the same effect?
It would be helpful if the documentation included this information.
On Wed, Sep 09, 2020 at 12:57:32PM +0200, Jérôme LELEU wrote:
Hi,
If you define something for the username, you'll use the throttling by IP
and username.
Thanks.
Best regards,
Jérôme
I'm seeking some clarification on Authentication Throttling. We're using
5.0.x, but the documentation doesn't seem to differ much in subsequent
versions for this question.
<https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html>
https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html
The docs describe both throttling by IP address, and IP address and
username. How do we ensure the latter so the throttling is also per
username? The cas.properties documentation includes a
"cas.authn.throttle.usernameParameter=username" property, but doesn't
explain its purpose. I don't see anything else that looks like it may be
relevant?
--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200917170427.mvblkuhnho3j5vhu%40MacBook-Pro.local.
