Simple MFA Rate Limiting

[Agus Santosa]

Hi, 

I have been trying to implement the rate limiting feature of Simple MFA. (with version 7.2.x)

I set the blocking to true:

cas.authn.mfa.simple.bucket4j.blocking=true

Tested with 1 client, it behaves as expected, it is blocked until token is available.

The outcome of testing with 2 clients is interesting. I used different browser with different principals. When it is blocking for one user, surprisingly it is also blocking the other user.

I am not sure if this is the expected behavior or is there something else I missed in the config.

Thanks

[CAS Community]

Docs: "Please note that the bucket allocation strategy is specific to the client IP address."

[Petr Bodnár]

Hi all,

we have digged deeper into this throttling stuff and it looks like when blocking is set to true, it currently effectively blocks all requests while blocking one request. This is given by how DefaultBucketConsumer.consume(final String key) method is currently implemented: it firstly waits for acquiring a lock (if not obtained within 3 seconds, null is returned and NullPointerException is thrown in the calling code). Then it executes all the Bucket4j processing, including pausing (parking) the thread if blocking is enabled, within that lock. So we are not really sure about this mechanism and we always rather set blocking to false where it makes sense.

Another a little bit confusing point is the documentation part which Community shared here. Why? Because Bucket instance for capacity throttling per "client IP address" seems to be actually created just for Throttling Authentication Attempts - Capacity. For Simple Multifactor Authentication - Rate Limiting ("rate-limiting for token requests"), the Bucket's key seems to be username (principal.id) - see CasSimpleMultifactorSendTokenAction#89.

The throttling is generally quite a tricky area, so further clarifications are surely welcome.

Best regards

Petr