hi Mark thanks a lot for your advice. I decide to use an HashMap set by my authnetication provider instead a comloumn on my DB. This implementation for my application is enaught because when a login fails, username and password fail attempts are set on hash table. After the limit max_passwd_mistake, i call my BO to set the relative field enabled on my schema. If the user is able to log (capture AuthenticationSuccessEvent) at first attempt nothing appened on my map, if the user, for example, after 3 attemps can log (capture AuthenticationSuccessEvent), his/her record on my HashMap is delete. This, maybe, it's not really scalable but it's useful to use DB only in the case that i have to lock the user. What do you think about? It can be a good solution? Kind regards Emmanuele
------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer