Is there a way to protect login page against a frequent submit?

Scott Battaglia scott.battaglia at gmail.com
Fri Feb 8 10:05:26 EST 2008 

You may be able to use something like this:

http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java?r=42053

It hasn't been heavily tested but its supposed to restrict number of
requests by IP Address.  If you do try and use it, please feel free to
provide us with any feedback or improvements :-)

-Scott

On Feb 8, 2008 12:03 AM, ??? <liweinan at chinaedu.net> wrote:

> Thanks for your advice Ole, I've done some researches on Geronimo and it
> seems overkill to me.
> It seems best for me to write a simple filter using session to control the
> attempting.
>
> Thanks,
> Li Wei Nan
>
> ----- Original Message -----
> From: "Ole Ersoy" <ole.ersoy at gmail.com>
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Sent: Friday, February 08, 2008 4:26 AM
> Subject: Re: Is there a way to protect login page against a frequent
> submit?
>
>
> > Hi Li,
> >
> > You can do this with a servlet filter that intercepts cas login
> requests.
> > You would have to get the principal user, see if they have attempted to
> > login with a specified time period, and redirect them to another page
> > explaining that they have made too many login attempts and that they
> must
> > wait X minutes before attempting again.  I think Geronimo has something
> > like this built in, but I'm still looking around for a standalone
> > implementation.
> >
> > Cheers,
> > - Ole
> >
> >
> >
> > Li Wei Nan wrote:
> >> Hi Everyone,
> >>
> >> Is there a plug-in or something like custom view could be used in
> >> cas-webapps to protect cas from malicious credential/principal sniffer?
> >>
> >> Or maybe there's some configuration I can do in tomcat to achieve
> >> this goal which I don't know yet?
> >>
> >> Thank you for your helps,
> >>
> >> Li Wei Nan
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> >>
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080208/6c76faa6/attachment.html

More information about the cas mailing list