HOWTO: Configure throttling for 4.2?

[Mike Richards]

Hello,

I'm attempting to configure throttling for a 4.2 installation. As the 4.2 documentation appears to be incomplete I've tried to use the 4.1 documentation as a secondary reference.

I've done the following:

• Replace <alias name="neverThrottle" alias="authenticationThrottle" /> with <alias name="inMemoryIpAddressUsernameThrottle" alias="authenticationThrottle" /> in deployerConfigContext.xml
  
• Set the following properties in cas.properties (deployed to /etc/cas) based on the 4.1 docs
  
• cas.throttle.failure.threshold=5
• cas.throttle.failure.range.seconds=3
• cas.throttle.username.parameter=username

I haven't filled in anything for the following properties; they remain commented

• cas.throttle.appcode
• cas.throttle.authn.failurecode
• cas.throttle.audit.query

I've tried testing this two ways:

• 4 browser windows with rapid clicking (all 4 attempts in less than 3 seconds)
• 25 login attempts via the REST API (POST against /cas/v1/tickets)

Both continue to succeed. Can anyone point out what I'm missing?

Thank you much,

Mike

[Misagh Moayyed]

REST API has no throttling support. So don’t test that one. Rapid clicking will likely not produce anything meaningful. You likely need an automated tool like JMeter and such to throw a load at the server, or turn up logs and see how CAS is treating every bad authn request.

 

And when you say “continue to succeed”, how exactly do you define “success”? Are you looking at HTTP Status codes? UI messages telling you everything went through and you logged in?

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5221375c-0908-43cd-b137-be0be8031817%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Mike Richards]

My "success" is that after 3 unsuccessful auth attempts the fourth one is successful (forwarding me back to the resource being protected).

If the REST API has no throttling support then this may be pointless as protecting the REST API was the purpose of this endeavor.

Is there a recommended path to protecting the REST API beyond sensible firewall rules?

Thank you much,

Mike

[Misagh Moayyed]

Turn up logs for DEBUG. That should explain the throttling config a bit more clearly.

 

There exists this:

https://github.com/Jasig/cas/issues/1694

 

It can likely be ported over to 4.x once it’s completed, but until then, I suppose firewall rules and such are your best bet.

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a8d32bee-f51a-4438-927f-30503b5dfbb0%40apereo.org.

[Ioan Katalin]

Hi Mike,

have you found the answer? I am experiencing the same issue. :/

[Mike]

Negative. Inability to throttle the REST API obviated throttling in the general sense.

I haven't revisited the issue since May 2016, so it is very possible things have changed. However I wouldn't know.

Mike

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/nVSmn6gbNjc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b69c1ce-a890-4e3d-b6cc-f7c86ca1b270%40apereo.org.