I want to set up a web application so that the number of login attempts
is limited. It would be something like this: After ten successive
failures from the same user name (or IP address, either one would do),
further login attempts are locked out for two hours. The error message
when the user is locked out should be distinct from the normal login
failure message. We're also considering emailing the user (if it's a
real user) when this situation arises, so they'd know why they were
locked out it someone else is trying to impersonate them.
We've set up a custom realm which is based on JdbcRealm, with just
enough customization to find the appropriate database fields. We have an
AuthenticationListener set up to handle login success and failure.
One approach would be to count up failures in the
AuthenticationListener, and if the threshold is reached, set a
locked_out_until field for the user's database entry, defining the query
so it will fail until the time specified in the field.
I think I can come up with something along these lines, but I'm afraid
I'm missing some feature in Shiro that would make the job much easier.
Any suggestions, or reports from past experience?
--
Gary McGath, Principal Software Engineer, Outcome Referrals
[email protected]
