[SYNCOPE-1971] Add authentication failure throttling to avoid brute-force attack#1413
Merged
ilgrosso merged 9 commits intoJun 10, 2026
Merged
Conversation
Member
|
@massx1 please open an issue on JIRA for this proposed change |
ilgrosso
changed the title
massx1
force-pushed
the
security-auth-rate-limit-assessment
branch
from
c6b1e7f to
a5a82cc
Compare
ilgrosso
requested changes
Jun 8, 2026
massx1
force-pushed
the
security-auth-rate-limit-assessment
branch
2 times, most recently
from
8167078 to
b8f219d
Compare
ilgrosso
requested changes
Jun 9, 2026
ilgrosso
left a comment
ilgrosso
left a comment
Member
There was a problem hiding this comment.
Besides the changes requested, you will also need to describe the new feature in the docs; I believe you could add a subsection under https://syncope.apache.org/docs/4.1/reference-guide.html#rest-authentication-and-authorization
| final KeymasterProperties keymasterProperties) { | ||
|
|
||
| super(domainOps, dataAccessor, provisioningManager, securityProperties, encryptorManager); | ||
| super( |
Member
There was a problem hiding this comment.
why this formatting change? please revert
massx1
force-pushed
the
security-auth-rate-limit-assessment
branch
from
b8f219d to
56cbebd
Compare
massx1
force-pushed
the
security-auth-rate-limit-assessment
branch
from
56cbebd to
6aaa718
Compare
….23.0 (apache#1417) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.opensearch.client:opensearch-java](https://github.com/opensearch-project/opensearch-java) from 3.8.0 to 3.9.0. - [Release notes](https://github.com/opensearch-project/opensearch-java/releases) - [Changelog](https://github.com/opensearch-project/opensearch-java/blob/v3.9.0/CHANGELOG.md) - [Commits](opensearch-project/opensearch-java@v3.8.0...v3.9.0) --- updated-dependencies: - dependency-name: org.opensearch.client:opensearch-java dependency-version: 3.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps `hibernate.version` from 7.4.0.Final to 7.4.1.Final. Updates `org.hibernate.orm:hibernate-core` from 7.4.0.Final to 7.4.1.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.1/changelog.txt) - [Commits](hibernate/hibernate-orm@7.4.0...7.4.1) Updates `org.hibernate.orm:hibernate-jcache` from 7.4.0.Final to 7.4.1.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.1/changelog.txt) - [Commits](hibernate/hibernate-orm@7.4.0...7.4.1) Updates `org.hibernate.orm:hibernate-maven-plugin` from 7.4.0.Final to 7.4.1.Final - [Release notes](https://github.com/hibernate/hibernate-orm/releases) - [Changelog](https://github.com/hibernate/hibernate-orm/blob/7.4.1/changelog.txt) - [Commits](hibernate/hibernate-orm@7.4.0...7.4.1) --- updated-dependencies: - dependency-name: org.hibernate.orm:hibernate-core dependency-version: 7.4.1.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.hibernate.orm:hibernate-jcache dependency-version: 7.4.1.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.hibernate.orm:hibernate-maven-plugin dependency-version: 7.4.1.Final dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
ilgrosso
approved these changes
Jun 10, 2026
ilgrosso
pushed a commit
that referenced
this pull request
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds configurable throttling for repeated failed username/password authentication attempts to help prevent brute-force attacks against user passwords (e.g. the admin account).
When enabled, failed attempts are tracked per domain and login within a configurable time window. Once the configured threshold is reached, further attempts are temporarily rejected with HTTP 429 and a Retry-After header, including attempts with valid credentials during the lock window.