Lock out accounts after too many failed login attempts

Details

Type: New Feature
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 1.8.2
Fix Version/s: None
Component/s: Security
Labels:
None

Description

Implement full support for Acegi's "account locked" exception condition. Lock out user accounts after a configurable number of failed login attempts. (Parameter value of 0 disables this feature.)

Requires implementation of custom version of Acegi's DaoAuthenticationProvider.

I have this code completed & tested under Struts. I will upload a patch once I test on SpringMVC also.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Matt Raible added a comment - 19/Sep/05 10:54 PM

If we do choose to implement this, we should do so with this feature turned off by default IMO. Even better, I think we should try to convince Acegi Security to implement this in its framework (rather than us writing custom code for it). It seems like the type of feature that Acegi users might like.

Show

Matt Raible added a comment - 19/Sep/05 10:54 PM If we do choose to implement this, we should do so with this feature turned off by default IMO. Even better, I think we should try to convince Acegi Security to implement this in its framework (rather than us writing custom code for it). It seems like the type of feature that Acegi users might like.

Hide

Permalink

David Carter added a comment - 20/Sep/05 6:25 AM

I agree on both points. Default value of 0 for the parameter is already in the code. I will be submitting the implementation to Acegi also, since this is generic functionality. There will be a new ExtendedAuthenticationDao interface (methods clearFailedLoginCount, incrementFailedLoginCount, and lockAccount) that we will need to implement in userManager, but the ExtenededDaoAuthentictionProvider that calls these methods should be part of Acegi's core code. s

Show

David Carter added a comment - 20/Sep/05 6:25 AM I agree on both points. Default value of 0 for the parameter is already in the code. I will be submitting the implementation to Acegi also, since this is generic functionality. There will be a new ExtendedAuthenticationDao interface (methods clearFailedLoginCount, incrementFailedLoginCount, and lockAccount) that we will need to implement in userManager, but the ExtenededDaoAuthentictionProvider that calls these methods should be part of Acegi's core code. s

Matt Raible made changes - 03/Jan/06 4:12 PM

Field	Original Value	New Value
Priority	Critical [ 2 ]	Minor [ 4 ]

Hide

Permalink

Matt Raible added a comment - 09/Jan/06 7:10 AM

Is your change compatible with ~~APF-118~~?

Show

Matt Raible added a comment - 09/Jan/06 7:10 AM Is your change compatible with APF-118 ?

Hide

Permalink

Troy J. Kelley added a comment - 19/Jun/06 12:33 PM

I've just started looking at implementing this within an AppFuse-based app that I'm putting together.

I checked the latest Acegi Javadocs and there doesn't seem to be support for this there yet. Any idea on where this is at?

Show

Troy J. Kelley added a comment - 19/Jun/06 12:33 PM I've just started looking at implementing this within an AppFuse-based app that I'm putting together. I checked the latest Acegi Javadocs and there doesn't seem to be support for this there yet. Any idea on where this is at?

Hide

Permalink

Matt Raible added a comment - 08/Oct/07 1:45 PM

If there's no new interest in this feature, I'll likely close this issue.

Show

Matt Raible added a comment - 08/Oct/07 1:45 PM If there's no new interest in this feature, I'll likely close this issue.

People

Assignee:

Matt Raible

Reporter:

David Carter

Vote (1)

Watch (1)

Dates

Created:

19/Sep/05 10:38 PM

Updated:

08/Oct/07 1:45 PM