Erik, >Disadvantage is that the server will keep the request processing thread >occupied during the waiting period. A brute force attach that fires >multiple requests simultaneously will not be stopped by this and will >bring the server to its knees even more quickly. So Johan was right, you >should not do this in the web application. > > That is true. But how can I let the server software handle this if I want specific behavior only with a certain page of the web application? Or are you suggesting to let the server software handle all the flooding for all the pages of the webapplication (i.e. restricting how many requests are processed/handles per second) and to let the webapplication handle the specific case of false logins, not caring about how many REQUESTS came in, just how many false ATTEMPTS came in?
That sounds like it would make a lot of sense.... >Now if you start using AsyncWeb it would be quite another story of course... > > Hmmm, that does look very promising! - Johannes >Regards, > Erik. > > >Johannes Fahrenkrug schreef: > > >>That's not a bad idea... that would mean delaying a response for a >>second or two _every time_ a false login happens... That would be a >>rather simple but yet effective solution, too: It would render brute >>force useless and behave quite similar to the Linux shell login you >>mentioned.... >> >> >> > > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wicket-user
