3 Replies Latest reply on May 25, 2012 3:02 AM by jaikiran

    User lock out if there was too many failed attempts

    lszymik

      I am implementing Java EE application on JBoss 7.1.1 and I am using two security domains: DatabaseServerLoginModule and LdapLoginModule.

      Is there any way to apply lock out policy to lock out my accont after too many failed attempts.

       

      I found something like LockOutRealm for Web server but I need something which will be working with DatabaseServerLoginModule as well. Generally I will need to configure how many bad login (wrong password) will lock user accont and I need to have unlock functionality: after timeout (5 minues) or manualy by administrator.

       

      Thanks in advance for any suggestion or hint.

       

      Best regerds

      Łukasz

        • 1. Re: User lock out if there was too many failed attempts
          jaikiran

          I think you'll have to implement a custom login module in your application to do that. You can just extend it from the DatabaseServerLoginModule if you want the existing functionality from that login module.

          • 2. Re: User lock out if there was too many failed attempts
            lszymik

            Thank you for providing info how to do it. I will extend DatabaseServerLoginModule and probably LdapLoginModule as well. Should I put my classes in JBoss modules, application lib or somewhere else?

             

            Thanks
            Lukasz

            • 3. Re: User lock out if there was too many failed attempts
              jaikiran

              Lukasz Szymik wrote:

               

              Thank you for providing info how to do it. I will extend DatabaseServerLoginModule and probably LdapLoginModule as well. Should I put my classes in JBoss modules, application lib or somewhere else?

               

              Thanks
              Lukasz

              Starting 7.1.1.Final, you are allowed to package them in a module of your own and then use the "module" attribute of the login-module element in the security subsystem of standalone/domain.xml file.

               

              P.S: A user has recently reported that there might be a potential bug in this area where the correct module isn't being used for loading the loginmodule. We are investigating it, but if you too run into that issue, feel free to report it in the forums.