Inspektr audit - Failed authentication treated like throttling?
48 views
Skip to first unread message
Jaroslav Kačer
May 23, 2017, 4:52:07 AM5/23/17
to CAS Community
Dear CAS user/developers,
The first line looks OK to me, while the second one does not; no actual throttling occurred and this was the 1st failed login attempt.
(The time difference results from debugging, please ignore it.) Again, the first row looks OK, the 2nd one is misleading.
We are using CAS 5.0.4 with the Inspektr library for storing audit logs into a database. We are using it together with login throttling, which depends on the data in the audit table.
Everything works just fine, I just spotted a little surprising thing: It seems that authentication failures (i.e. input data for the throttling mechanism) are reported as actual throttling. CAS works fine, no actual throttling occurs (yet), just the audit log contains little misleading information.
In a text log file, it looks like this:
2017-05-23T10:05:02,992 [http-nio-8443-exec-7] DEBUG org.apereo.cas.web.support.InspektrThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter - Recording submission failure for /cas/login
2017-05-23T10:05:02,992 [http-nio-8443-exec-7] WARN org.apereo.cas.web.support.InspektrThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter - Throttling submission from 0:0:0:0:0:0:0:1. More than 5 failed login attempts within 60 seconds. Authentication attempt exceeds the failure threshold 5
The first line looks OK to me, while the second one does not; no actual throttling occurred and this was the 1st failed login attempt.
In the database, it looks like this:
xxxxx@xxx.com 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:1 Supplied credentials: [xxxxx@xxx.com] AUTHENTICATION_FAILED CAS 22-MAY-17 05.15.13.086000000 PM
xxxxx@xxx.com 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:1 xxxxx@xxx.com THROTTLED_LOGIN_ATTEMPT CAS 22-MAY-17 05.15.35.079000000 PM
(The time difference results from debugging, please ignore it.) Again, the first row looks OK, the 2nd one is misleading.
When I look into the source code, class InspektrThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter, I can see this method:
@Override
public void recordSubmissionFailure(final HttpServletRequest request) {
recordThrottle(request);
}
Calling recordThrottle(record) here is probably the source of the behavior I've just described. I think something else should be called instead. Do you agree? Or do I understand it wrong and this behavior is OK?
Thank you!
Best Regards,
Jarda
Jaroslav Kačer
Jun 9, 2017, 11:28:11 AM6/9/17
to CAS Community
Hello everybody,
Dne úterý 23. května 2017 10:52:07 UTC+2 Jaroslav Kačer napsal(a):
I submitted a pull request for that, here it is: https://github.com/apereo/cas/pull/2667
Could someone from the developers have a look, please?
Thank you in advance,
Jarda
Dne úterý 23. května 2017 10:52:07 UTC+2 Jaroslav Kačer napsal(a):
Reply all
Reply to author
Forward
0 new messages