A bug with throttling in cas 6.5.1 ?

52 views
Skip to first unread message

qla3fa

unread,
Mar 25, 2022, 5:24:12 AMMar 25
to CAS Community

Hi,

I try to upgrade my CAS from v6.4.6.1 to 6.5.1. The configuration who was ok with v6.4 don't work in 6.5.1...

I load these modules :

implementation "org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}"

I load et configure the audit log in jdbc too.

In my cas.properties my conf is:

cas.authn.throttle.jdbc.user=xxxxxxx
cas.authn.throttle.jdbc.password=xxxxxxxx
cas.authn.throttle.jdbc.driver-class=com.mysql.cj.jdbc.Driver
cas.authn.throttle.jdbc.url=xxxxxxxx
cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL8Dialect
cas.authn.throttle.core.username-parameter=username
cas.authn.throttle.core.app-code=CAS
cas.authn.throttle.failure.threshold=1
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.range-seconds=3
cas.authn.throttle.bucket4j.blocking=true
cas.authn.throttle.bucket4j.enabled=true
cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
cas.authn.throttle.bucket4j.bandwidth[0].capacity=50

Authentication always fail with message :

More than [0.3333333333333333] failed login attempts within [3] seconds. Authentication attempt exceeds the failure threshold [1]

I Try with different values in treshold and range-seconds but the issue is same...

In database for an authentication I had only two rows :

MariaDB [DEVCAS]> select * from COM_AUDIT_TRAIL\G; *************************** 1. row *************************** id: 1 AUD_ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLIC_CD: CAS AUD_CLIENT_IP: xxxxxxxxxxxx AUD_DATE: 2022-03-24 16:03:34.000000 AUD_RESOURCE: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Thu Ma AUD_SERVER_IP: xxxxxxxxxxxxxxxxxxx AUD_USER: audit:unknown AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 *************************** 2. row *************************** id: 2 AUD_ACTION: THROTTLED_LOGIN_ATTEMPT APPLIC_CD: CAS AUD_CLIENT_IP: xxxxxxxxxxx AUD_DATE: 2022-03-24 16:03:44.000000 AUD_RESOURCE: N/A AUD_SERVER_IP: xxxxxxxxxxxx AUD_USER: xxxxxxx AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 2 rows in set (0.001 sec)

If I unload modules "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}" and "org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}" the authnetication work properly.

Is there un bug with throttling and v6.5.1 ? Or I miss something ?

Best regards.

Quentin.

Frédéric Lohier

unread,
Apr 5, 2022, 12:47:52 PMApr 5
to CAS Community
Hello,

I am experiencing the same issue in CAS 6.5.2. , the throttle failure module triggers at the first login attempt even if I submit a good user login/password. It was working fine in CAS 6.4.6.1.
I am only using the cas-server-support-throttle, and if I comment the following failure-throttle configuration, authentication works again

#cas.authn.throttle.failure.threshold=1
#cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
#cas.authn.throttle.failure.range-seconds=3

Did you manage to make it work in 6.5.x?

-Frederic

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8119db25-4120-5fd3-dceb-4286306826a8%40gmail.com.

qla3fa

unread,
May 6, 2022, 9:55:11 AMMay 6
to cas-...@apereo.org

Hi,

    No it still doesn't work in my 6.5.2 install.

    Like you, with 6.4.6.1 it work correctly. And in my 6.5.2 install, I comment these 3 cas.authn.throttle.xxx directive too...

Quentin.

Jérôme LELEU

unread,
May 6, 2022, 10:03:25 AMMay 6
to CAS Community
Hi,

There is a bug with the bucket4j throttling.
I will be available in the next release 6.5.4 (and 6.6.0).
Thanks.
Best regards,
Jérôme


qla3fa

unread,
May 6, 2022, 10:33:49 AMMay 6
to cas-...@apereo.org

Hi,

    Good news ! :-)

Thanks a lot. We will wait this fix.

Best regards.

Quentin.

Reply all
Reply to author
Forward
0 new messages