Using JCaptcha in CAS4

January 14th, 2009 | cas, Identity Management, Java, Software Architecture

CAS 4, which isn’t out yet, or in any condition to be used in production, now supports using JCaptcha in order to throttle attempts to discern passwords.

Complete details on enabling it are in the JASIG Wiki. We’ve enabled it by default in the demonstration WAR file.

Essentially, we use an algorithm (rather simple, feel free to enhance it and contribute it back) to determine if you’ve had too many failed attempts in a a certain period of time based on your IP address. We don’t use sessions because obviously you could just get a new session ;-)

This is just one of the many enhancements based on community feedback that we’re looking to include in CAS 4.

6 comments ↓

#1 Matt Smith on 01.15.09 at 6:05 am

We have all sorts of cases (Citrix, NAT’d environments, proxies) where the source IP for many IDs will be the same. How about additionally (or optionally) a per-ID threshhold?

For example, 9 previous failed attempts from this IP or 4 previous failed attempts for this ID cause CAPTCHA to be activated?

#2 Scott on 01.15.09 at 12:10 pm

Its certainly possible to do it by User Id. The only difficult thing would be to do it by two items (i.e. UserId and IP Address) as JCaptcha requires a unique identifier.

I’ll add this to my TODO list as another option. Should be trivial to implement.

#3 Scott on 01.15.09 at 12:13 pm

Actually, I lied, you could do it based on IP Address and Username.

Bit of a hack, but its possible. I’ll add that also.

#4 Scott on 01.15.09 at 12:17 pm

Hmm, this is actually going to be more difficult than I expected.

On the one side its absurdly easy. When generating the image though, we don’t have access to the username and we can’t pass it in as a parameter to the thing that constructs the username.

We need to be able to give the Id to the CAPTCHA image generator without exposing it.

Any thoughts?

#5 Matt Smith on 01.15.09 at 1:36 pm

I have *no* knowledge of JCaptcha, nor have I looked at the CAS4 implementations, but … couldn’t tuples of relevant info (say, [IP,ID,Failures]) be stored in the application state on each authentication, an AuthenticationFailureCounter bean be created to count failures, and trigger JCAPTCHA with captchaId=tuple.hashCode() when a defined threshhold is reached?

#6 Shivani on 01.16.09 at 9:39 pm

The usage of user ID instead of IP Add is also a feature that is requested to be implemented in our organization.

If we can modify Jcaptcha to be used in the extension of HandlerInterceptorAdapter – would the UserId be accessible in that scenario?

Leave a Comment

Spam protection by WP Captcha-Free