Authentication throttling, per IP and username?
115 views
Skip to first unread message
Baron Fujimoto
Sep 8, 2020, 6:10:53 PM9/8/20
to CAS Users
I'm seeking some clarification on Authentication Throttling. We're using 5.0.x, but the documentation doesn't seem to differ much in subsequent versions for this question.
<https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html>
The docs describe both throttling by IP address, and IP address and username. How do we ensure the latter so the throttling is also per username? The cas.properties documentation includes a "cas.authn.throttle.usernameParameter=username" property, but doesn't explain its purpose. I don't see anything else that looks like it may be relevant?
--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
<https://apereo.github.io/cas/5.0.x/installation/Configuring-Authentication-Throttling.html>
The docs describe both throttling by IP address, and IP address and username. How do we ensure the latter so the throttling is also per username? The cas.properties documentation includes a "cas.authn.throttle.usernameParameter=username" property, but doesn't explain its purpose. I don't see anything else that looks like it may be relevant?
--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
Jérôme LELEU
Sep 9, 2020, 6:57:47 AM9/9/20
to CAS Community
Hi,
If you define something for the username, you'll use the throttling by IP and username.
Thanks.
Best regards,
Jérôme
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200908221042.immqr5tibuzxq44v%40MacBook-Pro.local.
Baron Fujimoto
Sep 9, 2020, 1:37:09 PM9/9/20
to cas-...@apereo.org
Mahalo for the clarification! I'm assuming that the "username" value for the cas.authn.throttle.usernameParameter is a general value for all users and not a specific user, e.g. "alice" or "bob" (because that would be... non-optimal)? Does it matter what the value for the cas.authn.throttle.usernameParameter property is, or just that it has some value? I.e., could it be set to a pseudo-boolean value, like "true" and have the same effect?
It would be helpful if the documentation included this information.
>To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lwg_D%2BKQSN4%3DTGSQFRDnvNdouSZ5S441aawXkdb7wQk7g%40mail.gmail.com.
It would be helpful if the documentation included this information.
Jérôme LELEU
Sep 10, 2020, 1:57:09 AM9/10/20
to CAS Community
Hi,
The value of the cas.authn.throttle.usernameParameter property must be the name of the request parameter holding the username (from the login form), which is "username".
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200909173651.2pqnbpxmkvcq6gej%40MacBook-Pro.local.
Baron Fujimoto
Sep 10, 2020, 1:29:10 PM9/10/20
to CAS Users
Mahalo, Jérôme!
On Thu, Sep 10, 2020 at 07:56:54AM +0200, Jérôme LELEU wrote:
>Hi,
>
>The value of the *cas.authn.throttle.usernameParameter* property must be
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200909173651.2pqnbpxmkvcq6gej%40MacBook-Pro.local
On Thu, Sep 10, 2020 at 07:56:54AM +0200, Jérôme LELEU wrote:
>Hi,
>
>> .
>>
>
>--
>- Website: https://apereo.github.io/cas
>- Gitter Chatroom: https://gitter.im/apereo/cas
>- List Guidelines: https://goo.gl/1VRrw7
>- Contributions: https://goo.gl/mh7qDG
>---
>You received this message because you are subscribed to the Google Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
>To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw8Vh%3DzrnO07vDPd-NWVZiKp3mnzwNUD9mxgQ9bgzmOTQ%40mail.gmail.com.
>>
>
>--
>- Website: https://apereo.github.io/cas
>- Gitter Chatroom: https://gitter.im/apereo/cas
>- List Guidelines: https://goo.gl/1VRrw7
>- Contributions: https://goo.gl/mh7qDG
>---
>You received this message because you are subscribed to the Google Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Baron Fujimoto
Sep 10, 2020, 5:05:05 PM9/10/20
to cas-...@apereo.org
Sorry, more questions:
I also tried setting the property *cas.authnofor throttle.failure.code* to "AUTHENTICATION_FAILED_THROTTLED" in an attempt to make the cause for this failure mode more apparent.
However, the string never shows up in the logs. I don't see any differences if I leave it at the default(?) "AUTHENTICATION_FAILED" value.
Upon invoking throttling the UI presents the following in a somewhat funky font:
=====
YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!
We are sorry. You do not have permission to view this page.
You thought you could just get to file you wanted, right?
Wrong.
In closing, go away.
=====
Since this is... not ideal... for our environment, we'll need to edit this. I assume this should be done via an overlay? It looks like this content is found in .../templates/error/403.html file. I believe long ago we previously modified 404.html, and I find it in our cas-overlay/target/classes/templates/error/404.html dir. Should the overlay version of 403.html also be placed in the same dir?
Since it's invoking a general 403.html, I don't suppose there is a way to get it to display a more specific page for the Throttling condition rather than a generic 403?
On Thu, Sep 10, 2020 at 07:56:54AM +0200, Jérôme LELEU wrote:
>Hi,
>
>The value of the *cas.authn.throttle.usernameParameter* property must be
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200909173651.2pqnbpxmkvcq6gej%40MacBook-Pro.local
I also tried setting the property *cas.authnofor throttle.failure.code* to "AUTHENTICATION_FAILED_THROTTLED" in an attempt to make the cause for this failure mode more apparent.
However, the string never shows up in the logs. I don't see any differences if I leave it at the default(?) "AUTHENTICATION_FAILED" value.
Upon invoking throttling the UI presents the following in a somewhat funky font:
=====
YOU ARE NOT AUTHORIZED TO BE AUTHORIZED!
We are sorry. You do not have permission to view this page.
You thought you could just get to file you wanted, right?
Wrong.
In closing, go away.
=====
Since this is... not ideal... for our environment, we'll need to edit this. I assume this should be done via an overlay? It looks like this content is found in .../templates/error/403.html file. I believe long ago we previously modified 404.html, and I find it in our cas-overlay/target/classes/templates/error/404.html dir. Should the overlay version of 403.html also be placed in the same dir?
Since it's invoking a general 403.html, I don't suppose there is a way to get it to display a more specific page for the Throttling condition rather than a generic 403?
On Thu, Sep 10, 2020 at 07:56:54AM +0200, Jérôme LELEU wrote:
>Hi,
>
>> .
>>
>
>--
>- Website: https://apereo.github.io/cas
>- Gitter Chatroom: https://gitter.im/apereo/cas
>- List Guidelines: https://goo.gl/1VRrw7
>- Contributions: https://goo.gl/mh7qDG
>---
>You received this message because you are subscribed to the Google Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
>To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw8Vh%3DzrnO07vDPd-NWVZiKp3mnzwNUD9mxgQ9bgzmOTQ%40mail.gmail.com.
>>
>
>--
>- Website: https://apereo.github.io/cas
>- Gitter Chatroom: https://gitter.im/apereo/cas
>- List Guidelines: https://goo.gl/1VRrw7
>- Contributions: https://goo.gl/mh7qDG
>---
>You received this message because you are subscribed to the Google Groups "CAS Community" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Baron Fujimoto
Sep 16, 2020, 10:36:40 PM9/16/20
to cas-...@apereo.org
I confirmed the overlay for the 403.html file.
Still don't understand *cas.authn.throttle.usernameParameter* though.
But worse, the observed behavior doesn't seem to match up with the properties set though. Using:
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.failure.threshold=5
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=120
However, when I test, on just the second failed authention attempt with a deliberately bad password, throttling is triggered and the following is logged:
WARN [org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter] - <Throttling submission from 192.10.10.10. More than 5 failed login attempts within 120 seconds. Authentication attempt exceeds the failure threshold 5>
But there have definitely been fewer than 5 attempts for this IP address and username key pair.
If I add trace logging for InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter, I can also see entries for keys:
TRACE [org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter] - <Removing entry for key 192.10.10.10;baron>
But nothing more specifically for how they are triggering the throttling policy.
Any suggestions?
Still don't understand *cas.authn.throttle.usernameParameter* though.
But worse, the observed behavior doesn't seem to match up with the properties set though. Using:
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.failure.threshold=5
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=120
However, when I test, on just the second failed authention attempt with a deliberately bad password, throttling is triggered and the following is logged:
WARN [org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter] - <Throttling submission from 192.10.10.10. More than 5 failed login attempts within 120 seconds. Authentication attempt exceeds the failure threshold 5>
But there have definitely been fewer than 5 attempts for this IP address and username key pair.
If I add trace logging for InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter, I can also see entries for keys:
TRACE [org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter] - <Removing entry for key 192.10.10.10;baron>
But nothing more specifically for how they are triggering the throttling policy.
Any suggestions?
Ray Bon
Sep 17, 2020, 11:32:50 AM9/17/20
to cas-...@apereo.org
Baron,
That throttle is a ratio. So you have 1 in 24s. It is triggered on every log in attempt (in your case by same username - but test this), not after 4.
Ray
On Wed, 2020-09-16 at 16:36 -1000, Baron Fujimoto wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--- Website:https://apereo.github.io/cas- Gitter Chatroom:https://gitter.im/apereo/cas- List Guidelines:https://goo.gl/1VRrw7- Contributions:https://goo.gl/mh7qDG---You received this message because you are subscribed to the Google Groups "CAS Community" group.To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+u...@apereo.org.To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20200917023629.lqxnrvkya23uwee4%40MacBook-Pro.local.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Baron Fujimoto
Sep 17, 2020, 1:04:41 PM9/17/20
to cas-...@apereo.org
Ahh, thank you. That helps a lot. I wish this were more explicit in the documentation.
>Mahalo for the clarification! I'm assuming that the "username" value for
>the cas.authn.throttle.usernameParameter is a general value for all users
>and not a specific user, e.g. "alice" or "bob" (because that would be...
>non-optimal)? Does it matter what the value for the
>cas.authn.throttle.usernameParameter property is, or just that it has some
>value? I.e., could it be set to a pseudo-boolean value, like "true" and
>have the same effect?
>
>It would be helpful if the documentation included this information.
>
>On Wed, Sep 09, 2020 at 12:57:32PM +0200, Jérôme LELEU wrote:
>
>Hi,
>
>If you define something for the username, you'll use the throttling by IP
>and username.
>
>Thanks.
>Best regards,
>Jérôme
>
>
>the cas.authn.throttle.usernameParameter is a general value for all users
>and not a specific user, e.g. "alice" or "bob" (because that would be...
>non-optimal)? Does it matter what the value for the
>cas.authn.throttle.usernameParameter property is, or just that it has some
>value? I.e., could it be set to a pseudo-boolean value, like "true" and
>have the same effect?
>
>It would be helpful if the documentation included this information.
>
>On Wed, Sep 09, 2020 at 12:57:32PM +0200, Jérôme LELEU wrote:
>
>Hi,
>
>If you define something for the username, you'll use the throttling by IP
>and username.
>
>Thanks.
>Best regards,
>Jérôme
>
>
Reply all
Reply to author
Forward
0 new messages