Thanks for the feedback, everyone!
I will add the extension to contrib this evening when I am back home
(unless someone who has not posted yet disagrees).
Best
Clemens
Hi Clemens,
Cool. +1 to publish it on contrib + exo (either xwiki-contrib or
xwiki-attric if you don’t plan to maintain it).
Thanks
-Vincent
On 17 Aug 2019, at 21:40, Clemens Klein-Robbenhaar
<[email protected]> wrote:
Hi devs.
I noticed that the recent 11.6.x series have introduced a way to deal
with attempts to guess a users password by introducing a strategy to
handle repeated login failures. I should have payed attention before
this was published because I have been implementing something similar
because of several user requests.
Anyway, my alternative solution has been finished in parallel, and I
wonder if there is any interest of hosting this as a contrib project.
The implementation differs in the following details:
- it does not use the new AuthenticationFailureEvents and the
introduced component API, instead it implements its own
XWikiAuthService
- this means it works for 10.x, too (which my users are mostly
running)
- otoh it does not work with e.g. the LDAPAuthenticator
- it also allows to block IPs (not that I care much about, but some
people want this)
- it unblocks the user after a given time frame without having an
Admin to intervene
I guess I can migrate at least most of it into the new
AuthenticationFailureStrategy to have a showcase for a different
implementation, but for now it is a separate and already slightly
outdated implementation.
I think I will upload the results to e.x.o anyway (with a big note
that this is superseded since XWiki 11.6), but is there any interest
of hosting this as an xwiki-contrib project, maybe with the name
'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and
maybe even a Jira project like 'BLOCKINGAUTH' ?
Best,
Clemens
