Hi Gurus! How can I prevent a brute force attack on my password change jsp page?
Background: I've successfully secured a jsp/perl web application. Thanks to all acegi developers for this fine piece of software! The login jsp page is protected against brute force by leveraging the application event publishing features so the account is locked for 30 minutes after three failed logins. BTW I can't find any documentation for application event publishing in the 1.0.0 manual. My question is how I can do something similar to prevent the password change page? The password change page is open to role anonymous because when a new user is entered in the system; password expired is set to a past date to force the user to change the password the first time. Are there any best practices to handle changes of passwords? Regards Gunnar ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
