This is not something built-in to Shiro directly at the moment - most people do this logic in their Realm's getAuthenticationInfo (and perhaps use an AuthenticationListener to update the failed attempt count).
Part of the reason this isn't in Shiro is that this implies state management that typically needs to update a data store (i.e. attempt 1 failed -> update the data store to record this). Other than maybe utilizing a Cache, Shiro doesn't have many data store write capabilities. If Shiro did use a Cache, and the lock record gets expunged (as caches are prone to do), then the lock status wouldn't be valid and security conditions might not be met. That being said, I'm personally very open to suggestions on how this might be accomplished if people want this feature - maybe create a LoginAttemptStore that Shiro could use and you could plug in implementations based on the store you wish to use? If you have any ideas, please open a Jira issue and/or discuss on the dev list! Best, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk On Wed, Oct 17, 2012 at 7:35 AM, Bron <[email protected]> wrote: > I am trying to make the case for Shiro over Tomcat container managed > security, but one feature I can't find in Shiro out of the box is the > ability to set up failed attempt lockouts. > > in Tomcat it done by simply wrapping the main security realm in a > LockOutRealm: > > <Realm className="org.apache.catalina.realm.LockOutRealm" lockOutTime="1800" > failureCount="6"> > <Realm className="org.apache.catalina.realm.JDBCRealm"... /> > </Realm> > > I have not seen a way to implement equivalent functionality via Shiro.ini. > This statement from the docs: "Shiro's out-of-the-box SessionManager > implementations are highly customizable and configurable and will suit most > needs." Makes me believe this sort of thing is possible, I just have not > found where to do this type of customization. > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Failed-attempt-lockouts-tp7577882.html > Sent from the Shiro User mailing list archive at Nabble.com.
