A bug with throttling in cas 6.5.1 ?
qla3fa
Hi,
I try to upgrade my CAS from v6.4.6.1 to 6.5.1. The configuration
who was ok with v6.4 don't work in 6.5.1...
I load these modules :
implementation
"org.apereo.cas:cas-server-support-throttle-bucket4j:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}"
implementation
"org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}"
I load et configure the audit log in jdbc too.
In my cas.properties my conf is:
cas.authn.throttle.jdbc.user=xxxxxxx
cas.authn.throttle.jdbc.password=xxxxxxxx
cas.authn.throttle.jdbc.driver-class=com.mysql.cj.jdbc.Driver
cas.authn.throttle.jdbc.url=xxxxxxxx
cas.authn.throttle.jdbc.dialect=org.hibernate.dialect.MySQL8Dialect
cas.authn.throttle.core.username-parameter=username
cas.authn.throttle.core.app-code=CAS
cas.authn.throttle.failure.threshold=1
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.range-seconds=3
cas.authn.throttle.bucket4j.blocking=true
cas.authn.throttle.bucket4j.enabled=true
cas.authn.throttle.bucket4j.bandwidth[0].duration=PT60S
cas.authn.throttle.bucket4j.bandwidth[0].capacity=50
Authentication always fail with message :
More than [0.3333333333333333] failed login attempts within [3] seconds. Authentication attempt exceeds the failure threshold [1]
I Try with different values in treshold and range-seconds but the issue is same...
In database for an authentication I had only two rows :
MariaDB [DEVCAS]> select * from COM_AUDIT_TRAIL\G; *************************** 1. row *************************** id: 1 AUD_ACTION: AUTHENTICATION_EVENT_TRIGGERED APPLIC_CD: CAS AUD_CLIENT_IP: xxxxxxxxxxxx AUD_DATE: 2022-03-24 16:03:34.000000 AUD_RESOURCE: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Thu Ma AUD_SERVER_IP: xxxxxxxxxxxxxxxxxxx AUD_USER: audit:unknown AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 *************************** 2. row *************************** id: 2 AUD_ACTION: THROTTLED_LOGIN_ATTEMPT APPLIC_CD: CAS AUD_CLIENT_IP: xxxxxxxxxxx AUD_DATE: 2022-03-24 16:03:44.000000 AUD_RESOURCE: N/A AUD_SERVER_IP: xxxxxxxxxxxx AUD_USER: xxxxxxx AUD_USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0 2 rows in set (0.001 sec)
If I unload modules "org.apereo.cas:cas-server-support-throttle:${project.'cas.version'}" and "org.apereo.cas:cas-server-support-throttle-jdbc:${project.'cas.version'}" the authnetication work properly.
Is there un bug with throttling and v6.5.1 ? Or I miss something ?
Best regards.
Quentin.
Frédéric Lohier
#cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
#cas.authn.throttle.failure.range-seconds=3
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8119db25-4120-5fd3-dceb-4286306826a8%40gmail.com.
qla3fa
Hi,
No it still doesn't work in my 6.5.2 install.
Like you, with 6.4.6.1 it work correctly. And in my 6.5.2
install, I comment these 3 cas.authn.throttle.xxx directive too...
Quentin.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALRGK0qspbjpOn0jbP6tjL0Y%3Dhu8%2BJ7VYj4hyihAViPPHLcH6A%40mail.gmail.com.
Jérôme LELEU
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8b727949-b685-a84c-721e-96b521c97ff5%40gmail.com.
qla3fa
Hi,
Good news ! :-)
Thanks a lot. We will wait this fix.
Best regards.
Quentin.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lyvbe4XUVsoAyEEcBYtR7X_cNv09az%2BxOdeB97kDF68gg%40mail.gmail.com.