Is there a way to protect login page against a frequent submit?
Ole Ersoy
ole.ersoy at gmail.com
Fri Feb 8 10:48:28 EST 2008
Scott,
I did some research a while back, and one of the concerns regarding restrictions by IP is that a large number of users may sit behind a common IP / gateway / proxy, and that that IP will come through as the IP doing something funky. So if that IP is blocked, then there's a possibility that other users will be automatically blocked as well. Do you know if the interceptor mentioned below solves this concern by chance?
Thanks,
- Ole
Scott Battaglia wrote:
> You may be able to use something like this:
>
> http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/web/support/ThrottledSubmissionByIpAddressHandlerInterceptorAdapter.java?r=42053
>
> It hasn't been heavily tested but its supposed to restrict number of
> requests by IP Address. If you do try and use it, please feel free to
> provide us with any feedback or improvements :-)
>
> -Scott
>
> On Feb 8, 2008 12:03 AM, ??? <liweinan at chinaedu.net
> <mailto:liweinan at chinaedu.net>> wrote:
>
> Thanks for your advice Ole, I've done some researches on Geronimo and it
> seems overkill to me.
> It seems best for me to write a simple filter using session to
> control the
> attempting.
>
> Thanks,
> Li Wei Nan
>
> ----- Original Message -----
> From: "Ole Ersoy" <ole.ersoy at gmail.com <mailto:ole.ersoy at gmail.com>>
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu
> <mailto:cas at tp.its.yale.edu>>
> Sent: Friday, February 08, 2008 4:26 AM
> Subject: Re: Is there a way to protect login page against a frequent
> submit?
>
>
> > Hi Li,
> >
> > You can do this with a servlet filter that intercepts cas login
> requests.
> > You would have to get the principal user, see if they have
> attempted to
> > login with a specified time period, and redirect them to another page
> > explaining that they have made too many login attempts and that
> they must
> > wait X minutes before attempting again. I think Geronimo has
> something
> > like this built in, but I'm still looking around for a standalone
> > implementation.
> >
> > Cheers,
> > - Ole
> >
> >
> >
> > Li Wei Nan wrote:
> >> Hi Everyone,
> >>
> >> Is there a plug-in or something like custom view could be used in
> >> cas-webapps to protect cas from malicious credential/principal
> sniffer?
> >>
> >> Or maybe there's some configuration I can do in tomcat to achieve
> >> this goal which I don't know yet?
> >>
> >> Thank you for your helps,
> >>
> >> Li Wei Nan
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> >>
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list