Re: [cas-user] Throttling Authentication Attempts doesn't work

2024-04-09 Thread Ray Bon
Baba, The threshold and and range-seconds is a ratio; 5:50 == 1:10 (one attempt every 10s) This is used to limit [mostly] automated login attempts. You should set this to a rate that a human would not normally exceed (i.e. how long does it take a human to enter a password and press enter / clic

Re: [cas-user] Throttling Authentication Attempts doesn't work

2024-04-09 Thread Baba Ndiaye
Hi Wiliam Vincent I'm trying to configure Throttling Authentication Attempts for a ban this 5 attempts failed login. But it's dont work for me cas.authn.throttle.core.username-parameter=username cas.authn.throttle.failure.threshold=5 cas.authn.throttle.failure.range-seconds=50 cas.authn.throttle

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-06 Thread William Vincent
Hi It works, user can login if using wrong password William Le mer. 5 avr. 2023 à 23:56, Ray Bon a écrit : > William, > > If the throttled user tries to log in after the page refresh, what happens? > > Ray > > On Wed, 2023-04-05 at 07:14 -0700, William Vincent (Wix31) wrote: > > Notice: This mes

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-06 Thread William Vincent
ah ok thank's i understand now, I confused, I thought it was like a fail2ban, but it's a rate limiting system! but it's badly done, because if I set cas.authn.throttle.failure.range-seconds=3600 cas.authn.throttle.failure.threshold=5 it does not block for 1 hour if I have 5 bad logins So I have

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-06 Thread Pascal Rigaux
Hi, Throttling protects against brute force, so the time you refresh the page *manually* the throttling has been removed. We have the exact same throttle conf. This conf allows 1 error per 2.5 seconds: you must wait 2.5 after a failure otherwise it will be rejected. Our integration tests this:

Re: [cas-user] Throttling Authentication Attempts doesn't work

2023-04-05 Thread Ray Bon
William, If the throttled user tries to log in after the page refresh, what happens? Ray On Wed, 2023-04-05 at 07:14 -0700, William Vincent (Wix31) wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[cas-user] Throttling Authentication Attempts doesn't work

2023-04-05 Thread William Vincent (Wix31)
Hello I have a problem with throttling When I do a lot of unsuccessful tries I get the message "Unauthorized access You have entered the wrong password too many times in a row. You have been rejected.". But if I refresh the page, the form is displayed and in "cas/actuator/throttles" the line wi