Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tapestry Wiki" for change notification.
The following page has been changed by Peter Stavrinides: http://wiki.apache.org/tapestry/Tapestry5HowToMitigatingLoginAttacks ------------------------------------------------------------------------------ - = Tapestry5HowToMitigatingLoginAttacks = + = How To Mitigate Login Attacks = + Brute force and dictionary attacks use recursing login attempts to guess passwords. One of the most effective approaches to mitigate this is to implement a delay between logins, which effectively slows down these scripts just enough to render them useless. The problem with implementing an 'account lockout' as an alternative is that its open for abuse, and creates an administrative overhead. This is a simplified example to illustrate this principle. + + - 1. The first step is to create a simple pojo that represents a failed login, we also give it the ability to count failed attempts. + 1. The first step is to create a simple Pojo that represents a failed login, we also give it the ability to count failed attempts. {{{ /** @@ -57, +60 @@ }}} - 2. A Tapestry Singleton service to store failed login attempts + 2. A Tapestry Singleton service to store failed login attempts, we use the callers IP address as an identifier {{{ @@ -81, +84 @@ }}} - 3. lastly add a simple binding in AppModule, a Singleton is the default scope so we only require this: + 3. Lastly we add a simple binding in AppModule... a Singleton is the default scope so we only require the following: {{{ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org For additional commands, e-mail: dev-h...@tapestry.apache.org
