Hi Gary, I think your approach is fine. I think most people implement this logic in their Realm, as you have done. If you believe there is a generic solution to this (that would work regardless of the realm implementation, please do open a Jira issue feature request.
Thanks! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Fri, Jan 31, 2014 at 4:37 AM, Gary McGath <[email protected]>wrote: > I want to set up a web application so that the number of login attempts is > limited. It would be something like this: After ten successive failures > from the same user name (or IP address, either one would do), further login > attempts are locked out for two hours. The error message when the user is > locked out should be distinct from the normal login failure message. We're > also considering emailing the user (if it's a real user) when this > situation arises, so they'd know why they were locked out it someone else > is trying to impersonate them. > > We've set up a custom realm which is based on JdbcRealm, with just enough > customization to find the appropriate database fields. We have an > AuthenticationListener set up to handle login success and failure. > > One approach would be to count up failures in the AuthenticationListener, > and if the threshold is reached, set a locked_out_until field for the > user's database entry, defining the query so it will fail until the time > specified in the field. > > I think I can come up with something along these lines, but I'm afraid I'm > missing some feature in Shiro that would make the job much easier. Any > suggestions, or reports from past experience? > > -- > Gary McGath, Principal Software Engineer, Outcome Referrals > [email protected] > >
