[NEWSENDER] - Re: Is there a way to protect login page against a frequent submit? - Message is from an unknown sender

Li Wei Nan liweinan at chinaedu.net
Thu Mar 27 11:07:48 EDT 2008 

hi ana, it seems Scott have answered this question before:

"You'll need to add it to the cas-servlet.xml as an optional handler  
to the UrlHandlerMappings.  Check the Spring documentation for  
explicit instructions.

-Scott"

If you dig into the source and you can see "public final class  
ThrottledSubmissionByIpAddressHandlerInterceptorAdapter
     extends HandlerInterceptorAdapter implements InitializingBean"

which means it's a HandlerInterceptorAdapter. And after doing some  
research on google, you will find how to use it.

Here's a sample config of cas-servlet.xml:

...
<bean id="throttledSubmissionByIpAddressHandlerInterceptorAdapter"  
class="org.jasig.cas.web.support.ThrottledSubmissionByIpAddressHandlerIn 
terceptorAdapter" />

<bean id="handlerMappingB"  
class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
		<property
			name="mappings">
			<props>
				<prop
					key="/login">loginController</prop>
			</props>
		</property>
		<property
			name="interceptors">
			<list>				
				<ref bean="localeChangeInterceptor" />
				<ref  
bean="throttledSubmissionByIpAddressHandlerInterceptorAdapter" />
			</list>
		</property>
</bean>
...
you can set the failureThreshhold and failureTimeout for this adapter.

Since your request is: "to lock the user after 3 attempts to login".  
I don't think this adapter is what you want. Maybe a better way is to  
write a controller by yourself to count the request number, and the  
user is identified by session. And then put this controller into the  
login-webflow.xml. It needs a basic knowledge of Spring Framework to  
do the job.

Thanks,

- Li Wei Nan





Le 2008-3-27 à 下午7:41, ana castro lamas a écrit :

>
>
> ---------- Forwarded message ----------
> From: ana castro lamas <ana.castro.lamas at gmail.com>
> Date: 27-mar-2008 12:37
> Subject: RE: Is there a way to protect login page against a  
> frequent submit?
> To: cas-dev at tp.its.yale.edu
>
>
> Hello,
>
> I'd like to lock a user after 3 attempts to login. I don't know how  
> to do that.
> I supose that should be necessary override preAuthenticate and  
> postAuthenticate methods of  
> AbstractPreAndPostProcessingAuthenticationHandler.
> I've also had a look at  
> ThrottledSubmissionByIpAddressHandlerInterceptorAdapter that  
> restrict by Ip.
> If I want to use (or modify) this adapter , How would I have to do  
> this?
> Is there any example using  
> ThrottledSubmissionByIpAddressHandlerInterceptorAdapter ?What files  
> must been modified?
> Thanks
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080327/9429fbba/attachment.html

More information about the cas mailing list