Hi Mat, Nice to hear you're using Shiro with Vaadin - I too have a project where I'm using both of these frameworks together, and I'm really enjoying this combination :)
Anyway, that exception exists but it is not thrown/managed at any point by Shiro. It is there for your use as a convenience so you don't have to create your own Exception class if you don't want to. You would need to instantiate and throw it in your Realm's doGetAuthenticationInfo method when appropriate. The reason Shiro can't do this automatically is that this type of logic (lock account after a certain number of times in a certain number of minutes) is usually entirely dependent upon your application's User data model. There are a few ways to do this, but here are the most common 2 that I've seen: 1) Store 3 additional columns in your User table: loginPeriodStartTimestamp, lastLoginAttemptTimestamp and loginAttemptCount. Based on what you configure the login period to be before accounts are locked (5 minutes?), you can increment the login attempt count. If that number ever becomes greater than what your system deems is allowed (3 tries?), then you would manually throw the ExcessiveAttemptsException. Then your login controller can react to that and show an appropriate GUI message. 2) An even easier approach than #1, but which requires more disk storage, is to keep an event log of every login attempt. This is very simple - you enter an event into the event log for each login attempt with the timestamp the event occurred and the status of whether or not the login failed for that user. Then, determining if the account should be locked upon login is a very simple exercise - you query your event log to count all failed attempts for that user where the event timestamp is newer than (now - login period). If you receive any count greater than your configured number (say, 3), then you throw the exception. Again, this is very application data-model specific, but that should give you some ideas. HTH, Les On Mon, Feb 8, 2010 at 10:17 AM, UncleTupelo <[email protected]> wrote: > Good Afternoon, I am up and running with Shiro (Spring Web App using the > Vaadin framework), so all is good. Thank you all for the effort. So on to my > question! Basically I want to lock a User in my Application if they have > tried to sign on a number of times and keep getting the password wrong. I > notice there is a ExcessiveAttemptsException class and the javadoc says: > > Thrown when a system is configured to only allow a certain number of > authentication attempts over a period of time and the current session has > failed to authenticate successfully within that number. > > So that sounds like what I want to catch and handle (in my case the handling > would update a field on a User database row to indicate the Users login was > now disabled). But where is this Excessive Attempts configured - or is this > an exception I would have to build and throw? If so how would I know how > many times the Subject\User tried to logon? Anyway - hopefully this question > isn't too stupid! Cheers Mat > ________________________________ > View this message in context: ExcessiveAttemptsException - How to configure > Sent from the Shiro User mailing list archive at Nabble.com. >
