Hi Adrian,
the authentication and authorization process in Syncope (which already
includes some account lockout mechanism, defined via password policies)
is implemented via Spring Security.
The definitions are in
https://github.com/apache/syncope/blob/2_0_X/core/spring/src/main/resources/securityContext.xml
You might want to take a look there for your investigations.
Regards.
On 11/09/2017 17:26, Adrian Gonzalez wrote:
Hello,
I'd need to implement :
- user account lockout
- password expiration
User account lockout needs to work like this :
- when user has made more than <nbOfFailedAuthenticationAttempts> in
the last <lockoutPeriod>, then the user-account will be temporarily
locked.
the account is automatically unlocked after this <lockoutPeriod> (if
no failed authentication attempt has been made in between, otherwise,
it's prolongated).
Password expiration needs to work like this:
- when the lastPwdChange is more than <passwordExpiration> then the
user needs to change his password before being able to login.
Both user account (enabled, lockoutPeriod, failedAttempts) and
password expiration settings are specific for each tenant (1 user
belonging to each tenant)
As tenants are dynamic, we're not using Syncope domains for that.
I can implement both of those feature in my own authentication layer
(a wrapper around syncope REST API).
But I'd like to know if it's possible to implement that inside syncope
(perhaps it would be cleaner).
I looked at LogicActions, AccountRuleConf and creating a
PasswordPolicy for each of my tenants, but I don't think it will work.
- I cannot compute the lastFailedLoginDatelastFailedLogin date (i.e.
to check if the account must still be locked).
- once a user is suspended, I cannot automatically reactivate it once
lockoutPeriod has passed (perhaps adding a quartz job, but seems
overweight).
- I don't know if the current authentication is a success or a failure
(to update the lastFailedLoginDate)
Perhaps I'm missing something like pre/post authentication hooks that
are able to update the current user and know the status of the current
authentication ?
Thanks,
Adrian
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
