I am trying to make the case for Shiro over Tomcat container managed security, but one feature I can't find in Shiro out of the box is the ability to set up failed attempt lockouts.
in Tomcat it done by simply wrapping the main security realm in a LockOutRealm: <Realm className="org.apache.catalina.realm.LockOutRealm" lockOutTime="1800" failureCount="6"> <Realm className="org.apache.catalina.realm.JDBCRealm"... /> </Realm> I have not seen a way to implement equivalent functionality via Shiro.ini. This statement from the docs: "Shiro's out-of-the-box SessionManager implementations are highly customizable and configurable and will suit most needs." Makes me believe this sort of thing is possible, I just have not found where to do this type of customization. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Failed-attempt-lockouts-tp7577882.html Sent from the Shiro User mailing list archive at Nabble.com.
