Is there a way to protect login page against a frequent submit?

Ole Ersoy ole.ersoy at gmail.com
Fri Feb 8 11:15:25 EST 2008 

I've been toying with the idea of making a filter as well.  I think it could be done by creating a CAS ServletContextLister that creates a data structure for storing:

- user
- number of attempts
- time of last attempt

The filter then grabs this data structure from the CAS ServletContext and uses it like this:

If a user has made an attempt to login within say the last 15 minutes, the number of attempts is incremented, given that it's not already at the max.  If it's at the max then the user gets a message saying that they have to wait X minutes before trying to login again.  If the user has made a login attempt before, but the attempt was made more than 15 minutes ago, then the filter resets the number of attempts to 1, and the cycle starts over again.

If this were made as a component to CAS it should probably be an Action that is invoked before the initialFlowSetup.  So if user is allowed to attempt to login, then the next step is the initialFlowSetup, otherwise it's the too many attempts view-state.

Cheers,
- Ole





??? wrote:
> Thanks for your advice Ole, I've done some researches on Geronimo and it 
> seems overkill to me.
> It seems best for me to write a simple filter using session to control the 
> attempting.
> 
> Thanks,
> Li Wei Nan
> 
> ----- Original Message ----- 
> From: "Ole Ersoy" <ole.ersoy at gmail.com>
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Sent: Friday, February 08, 2008 4:26 AM
> Subject: Re: Is there a way to protect login page against a frequent submit?
> 
> 
>> Hi Li,
>>
>> You can do this with a servlet filter that intercepts cas login requests. 
>> You would have to get the principal user, see if they have attempted to 
>> login with a specified time period, and redirect them to another page 
>> explaining that they have made too many login attempts and that they must 
>> wait X minutes before attempting again.  I think Geronimo has something 
>> like this built in, but I'm still looking around for a standalone 
>> implementation.
>>
>> Cheers,
>> - Ole
>>
>>
>>
>> Li Wei Nan wrote:
>>> Hi Everyone,
>>>
>>> Is there a plug-in or something like custom view could be used in
>>> cas-webapps to protect cas from malicious credential/principal sniffer?
>>>
>>> Or maybe there's some configuration I can do in tomcat to achieve
>>> this goal which I don't know yet?
>>>
>>> Thank you for your helps,
>>>
>>> Li Wei Nan
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
> 
> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list