Thanks for you answer Francesco
I finished implementing that feature yesterday but on the layer on top of
syncope (based on Spring Sec too with some UserDetailsChecker).
I need to look further at what I could to in the syncope securitycontext.xml
(didn't have time for the moment alas, we're approaching a delivery date).
Cheers,Adrian
Le jeudi 14 septembre 2017 à 09:59:15 UTC+2, Francesco Chicchiriccò
<ilgro...@apache.org> a écrit :
Hi Adrian,
the authentication and authorization process in Syncope (which already
includes some account lockout mechanism, defined via password policies) is
implemented via Spring Security.
The definitions are in
https://github.com/apache/syncope/blob/2_0_X/core/spring/src/main/resources/securityContext.xml
You might want to take a look there for your investigations.
Regards.
On 11/09/2017 17:26, Adrian Gonzalez wrote:
Hello,
I'd need to implement : - user account lockout - password expiration
User account lockout needs to work like this : - when user has made more than
<nbOfFailedAuthenticationAttempts> in the last <lockoutPeriod>, then the
user-account will be temporarily locked. the account is automatically
unlocked after this <lockoutPeriod> (if no failed authentication attempt has
been made in between, otherwise, it's prolongated).
Password expiration needs to work like this: - when the lastPwdChange is more
than <passwordExpiration> then the user needs to change his password before
being able to login.
Both user account (enabled, lockoutPeriod, failedAttempts) and password
expiration settings are specific for each tenant (1 user belonging to each
tenant)
As tenants are dynamic, we're not using Syncope domains for that.
I can implement both of those feature in my own authentication layer (a
wrapper around syncope REST API).
But I'd like to know if it's possible to implement that inside syncope
(perhaps it would be cleaner).
I looked at LogicActions, AccountRuleConf and creating a PasswordPolicy for
each of my tenants, but I don't think it will work. - I cannot compute the
lastFailedLoginDatelastFailedLogin date (i.e. to check if the account must
still be locked).
- once a user is suspended, I cannot automatically reactivate it once
lockoutPeriod has passed (perhaps adding a quartz job, but seems overweight). -
I don't know if the current authentication is a success or a failure (to update
the lastFailedLoginDate)
Perhaps I'm missing something like pre/post authentication hooks that are
able to update the current user and know the status of the current
authentication ?
Thanks, Adrian
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
