[
https://issues.apache.org/jira/browse/SYNCOPE-1971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087886#comment-18087886
]
ASF subversion and git services commented on SYNCOPE-1971:
----------------------------------------------------------
Commit 2b897c3328d40d00ab359c6704b9fb82ad88da2e in syncope's branch
refs/heads/master from Massimiliano Perrone
[ https://gitbox.apache.org/repos/asf?p=syncope.git;h=2b897c3328 ]
[SYNCOPE-1971] Add authentication failure throttling to avoid brute-force
attack (#1413)
> Add throttling for repeated failed username/password authentication attempts
> -----------------------------------------------------------------------------
>
> Key: SYNCOPE-1971
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1971
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Reporter: Massimiliano Perrone
> Assignee: Massimiliano Perrone
> Priority: Major
> Fix For: 4.0.7, 4.1.2, 5.0.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> The proposed change adds configurable throttling for repeated failed
> username/password authentication attempts. Failed attempts are tracked per
> domain and login within a configurable time window to help prevent
> brute-force attacks against user passwords (e.g. the admin account).
> Once the configured threshold is reached, further attempts are temporarily
> rejected with HTTP 429 and a Retry- After header, including attempts with
> valid credentials during
> the lock window.
> This provides a generic rate-limiting layer independent of user suspension
> policies.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
