Continuum

Disable account on login failures

Details

  • Type: Sub-task Sub-task
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.1-alpha-1
  • Component/s: None
  • Labels:
    None
  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

We can hook into acegi authz event system to get unsuccessful logins and add the counter.

After a definer number (eg. 3) of unsucessful consecutive logins the account must be disabled.

Issue Links

This issue is duplicated by:
CONTINUUM-861 Last login or failed login attempts don't seem to be updated in the database Major Closed
This issue is related to:
CONTINUUM-867 User edit page is missing fields Critical Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Carlos Sanchez added a comment -

From http://acegisecurity.org/faq.html

Common Problem #3: How do I disable a user after a number of failed logins?

A common user requirement is to disable / lock an account after a number of failed login attempts. Acegi itself does not provide anything "out of the box", however in your application you can implement and register an org.springframework.context.ApplicationListener. Inside your application event listener you can then check for an instanceof the particular AuthenticationFailureEvent and then call your application user management interface to update the user details.

For example:

public void onApplicationEvent(ApplicationEvent event) {

// check failed event
if(event instanceof AuthenticationFailurePasswordEvent){ // call user management interface to increment failed login attempts, etc. . . . }
}

Show
Carlos Sanchez added a comment - From http://acegisecurity.org/faq.html Common Problem #3: How do I disable a user after a number of failed logins? A common user requirement is to disable / lock an account after a number of failed login attempts. Acegi itself does not provide anything "out of the box", however in your application you can implement and register an org.springframework.context.ApplicationListener. Inside your application event listener you can then check for an instanceof the particular AuthenticationFailureEvent and then call your application user management interface to update the user details. For example: public void onApplicationEvent(ApplicationEvent event) { // check failed event if(event instanceof AuthenticationFailurePasswordEvent){ // call user management interface to increment failed login attempts, etc. . . . } }
Hide
Permalink
Carlos Sanchez added a comment -

We need to inject an ApplicationEventPublisher into ProviderManager that will process the AuthenticationFailurePasswordEvent as said before.

Actually seems that it's not AuthenticationFailurePasswordEvent but AuthenticationFailureBadCredentialsEvent. There's a long list of possible events that inherit from AbstractAuthenticationFailureEvent, http://acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/event/authentication/AbstractAuthenticationFailureEvent.html

Show
Carlos Sanchez added a comment - We need to inject an ApplicationEventPublisher into ProviderManager that will process the AuthenticationFailurePasswordEvent as said before. Actually seems that it's not AuthenticationFailurePasswordEvent but AuthenticationFailureBadCredentialsEvent. There's a long list of possible events that inherit from AbstractAuthenticationFailureEvent, http://acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/event/authentication/AbstractAuthenticationFailureEvent.html
Hide
Permalink
Joakim Erdfelt added a comment -

Work has been completed on this.
Uber-patch has been submitted to Carlos Sanchez.

Show
Joakim Erdfelt added a comment - Work has been completed on this. Uber-patch has been submitted to Carlos Sanchez.
Hide
Permalink
Carlos Sanchez added a comment -

Applied patch from Joakim

Show
Carlos Sanchez added a comment - Applied patch from Joakim

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.