Hi, I want to prevent a CAS server from being used to guess passwords, so I'm reading the docs about Authentication Throttling. I find it somewhat confusing, because it is not clear how period and threshold work together. >From the docs:
> All login throttling components that ship with CAS limit successive > failed login attempts that exceed a threshold rate in failures per > second. The following properties are provided to define the failure > rate: > > failureRangeInSeconds: > Period of time in seconds during which the threshold applies. > failureThreshold: > Number of failed login attempts permitted in the above period. On the other hand, I've read in this group > Those throttle settings get reduced to a common denominator. When you > set 3 failures within 15 seconds, it is converted to 1 in 5 seconds. If I'm understanding it correctly, there is no point having two different properties instead of just a hypotetical "secondsBetweenConsecutiveFailures". Besides that, the logged message (e. g. "More than [3] failed login attempts within [15] seconds. Authentication attempt exceeds the failure threshold [3]") is very misleading, as it can be triggered just after two quick failed logins. There is no way for sending the IP/username to the waiting room when failing four times in a minute but not when failing two times in 30 seconds? Regards, -- Alberto Cabello Sánchez Servicio de Informática Universidad de Extremadura -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20190530122543.2bf99b71381af36ccfc48061%40unex.es.
