Massimiliano Perrone created SYNCOPE-1971:
---------------------------------------------
Summary: Add throttling for repeated failed username/password
authentication attempts
Key: SYNCOPE-1971
URL: https://issues.apache.org/jira/browse/SYNCOPE-1971
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Massimiliano Perrone
Assignee: Massimiliano Perrone
Fix For: 4.0.7, 4.1.2, 5.0.0
The proposed change adds configurable throttling for repeated failed
username/password authentication attempts. Failed attempts are tracked per
domain and login within a configurable time window to help prevent brute-force
attacks against user passwords (e.g. the admin account).
Once the configured threshold is reached, further attempts are temporarily
rejected with HTTP 429 and a Retry- After header, including attempts with valid
credentials during
the lock window.
This provides a generic rate-limiting layer independent of user suspension
policies.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
