Re: Custom user account locking and password expiration in syncope
Thanks for you answer Francesco I finished implementing that feature yesterday but on the layer on top of syncope (based on Spring Sec too with some UserDetailsChecker). I need to look further at what I could to in the syncope securitycontext.xml (didn't have time for the moment alas, we're approaching a delivery date). Cheers,Adrian Le jeudi 14 septembre 2017 à 09:59:15 UTC+2, Francesco Chicchiriccò a écrit : Hi Adrian, the authentication and authorization process in Syncope (which already includes some account lockout mechanism, defined via password policies) is implemented via Spring Security. The definitions are in https://github.com/apache/syncope/blob/2_0_X/core/spring/src/main/resources/securityContext.xml You might want to take a look there for your investigations. Regards. On 11/09/2017 17:26, Adrian Gonzalez wrote: Hello, I'd need to implement : - user account lockout - password expiration User account lockout needs to work like this : - when user has made more than in the last , then the user-account will be temporarily locked. the account is automatically unlocked after this (if no failed authentication attempt has been made in between, otherwise, it's prolongated). Password expiration needs to work like this: - when the lastPwdChange is more than then the user needs to change his password before being able to login. Both user account (enabled, lockoutPeriod, failedAttempts) and password expiration settings are specific for each tenant (1 user belonging to each tenant) As tenants are dynamic, we're not using Syncope domains for that. I can implement both of those feature in my own authentication layer (a wrapper around syncope REST API). But I'd like to know if it's possible to implement that inside syncope (perhaps it would be cleaner). I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for each of my tenants, but I don't think it will work. - I cannot compute the lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must still be locked). - once a user is suspended, I cannot automatically reactivate it once lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight). - I don't know if the current authentication is a success or a failure (to update the lastFailedLoginDate) Perhaps I'm missing something like pre/post authentication hooks that are able to update the current user and know the status of the current authentication ? Thanks, Adrian -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: Custom user account locking and password expiration in syncope
Hi Adrian, the authentication and authorization process in Syncope (which already includes some account lockout mechanism, defined via password policies) is implemented via Spring Security. The definitions are in https://github.com/apache/syncope/blob/2_0_X/core/spring/src/main/resources/securityContext.xml You might want to take a look there for your investigations. Regards. On 11/09/2017 17:26, Adrian Gonzalez wrote: Hello, I'd need to implement : - user account lockout - password expiration User account lockout needs to work like this : - when user has made more than in the last , then the user-account will be temporarily locked. the account is automatically unlocked after this (if no failed authentication attempt has been made in between, otherwise, it's prolongated). Password expiration needs to work like this: - when the lastPwdChange is more than then the user needs to change his password before being able to login. Both user account (enabled, lockoutPeriod, failedAttempts) and password expiration settings are specific for each tenant (1 user belonging to each tenant) As tenants are dynamic, we're not using Syncope domains for that. I can implement both of those feature in my own authentication layer (a wrapper around syncope REST API). But I'd like to know if it's possible to implement that inside syncope (perhaps it would be cleaner). I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for each of my tenants, but I don't think it will work. - I cannot compute the lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must still be locked). - once a user is suspended, I cannot automatically reactivate it once lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight). - I don't know if the current authentication is a success or a failure (to update the lastFailedLoginDate) Perhaps I'm missing something like pre/post authentication hooks that are able to update the current user and know the status of the current authentication ? Thanks, Adrian -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Custom user account locking and password expiration in syncope
Hello, I'd need to implement : - user account lockout - password expiration User account lockout needs to work like this :- when user has made more than in the last , then the user-account will be temporarily locked. the account is automatically unlocked after this (if no failed authentication attempt has been made in between, otherwise, it's prolongated). Password expiration needs to work like this:- when the lastPwdChange is more than then the user needs to change his password before being able to login. Both user account (enabled, lockoutPeriod, failedAttempts) and password expiration settings are specific for each tenant (1 user belonging to each tenant) As tenants are dynamic, we're not using Syncope domains for that. I can implement both of those feature in my own authentication layer (a wrapper around syncope REST API). But I'd like to know if it's possible to implement that inside syncope (perhaps it would be cleaner). I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for each of my tenants, but I don't think it will work. - I cannot compute the lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must still be locked). - once a user is suspended, I cannot automatically reactivate it once lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight).- I don't know if the current authentication is a success or a failure (to update the lastFailedLoginDate) Perhaps I'm missing something like pre/post authentication hooks that are able to update the current user and know the status of the current authentication ? Thanks,Adrian
