Versions prior to CAS 3.3.5, had a simplistic approach to throttling attempts based on IP Addresses. Since CAS 3.3.5, those options have been expanded.
For single node CAS instances, there are two in-memory approaches: One by IP Address, and one by IP Address + username combination.
Throttle Intercept Activation and Release
The throttle feature intercepts attempted logins for an IP or IP+username once the configured failed login threshold per time has been reached. At that point, further logins from that source are intercepted before reaching the CAS service. Once throttle intercept has been activated for an IP or IP/username, it stays active until the count of failed logins decays to less than the threshold. Further valid or invalid login attempts from a throttled source increase the count for each attempt. Decay is performed by repeatedly decrementing a counter of failed logins/further attempts by 1. The rate of decrements is controlled by the repeatInterval parameter specified in the periodicThrottleCleanerTrigger bean (see below, note that this parameter is set in milliseconds). Once the failed login count passes under the failureThreshold value, the throttle is released.
Notes on Logging of Throttled Logins
Failed logins are logged in your Inspektr audit table, if Inspektr is configured, and/or in your cas.log file.Once failed logins reach the threshold you configure, throttling is logged in your cas.log file as:
Once throttling has started for an IP, further attempts to log in are intercepted before they get to the CAS application and logged as 403 errors in your webserver access logs. If you're not fronting your CAS Tomcat server with Apache httpd, you may need to configure the access log "Valve" to get standard access logs in Tomcat (see http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html).
Configuration of the In-Memory Approaches
Configuration of the Inspektr Approach
As you've already done the work for configuring Inspektr, this method merely requires you to configure the new interceptor and give it a DataSource and an AuditTrailManager instance.
Example of In-Memory
Example of Inspektr
Note, you should configure Inspektr per the instructions. You may wish to expand the default client IP and server IP table space to account for IPv6.
Recording client IP address
Allow inspektr to record the real client IP address in the web.xml file: