3 Replies Latest reply: May 25, 2012 3:02 AM by jaikiran pai RSS

User lock out if there was too many failed attempts

Lukasz Szymik Newbie
Lukasz Szymik May 23, 2012 7:50 AM

I am implementing Java EE application on JBoss 7.1.1 and I am using two security domains: DatabaseServerLoginModule and LdapLoginModule.

Is there any way to apply lock out policy to lock out my accont after too many failed attempts.

 

I found something like LockOutRealm for Web server but I need something which will be working with DatabaseServerLoginModule as well. Generally I will need to configure how many bad login (wrong password) will lock user accont and I need to have unlock functionality: after timeout (5 minues) or manualy by administrator.

 

Thanks in advance for any suggestion or hint.

 

Best regerds

Ɓukasz

  • 1048 Views
  • Tags:
  • 1. Re: User lock out if there was too many failed attempts
    jaikiran pai Master
    jaikiran pai May 25, 2012 2:27 AM (in response to Lukasz Szymik)

    I think you'll have to implement a custom login module in your application to do that. You can just extend it from the DatabaseServerLoginModule if you want the existing functionality from that login module.

  • 2. Re: User lock out if there was too many failed attempts
    Lukasz Szymik Newbie
    Lukasz Szymik May 25, 2012 2:58 AM (in response to jaikiran pai)

    Thank you for providing info how to do it. I will extend DatabaseServerLoginModule and probably LdapLoginModule as well. Should I put my classes in JBoss modules, application lib or somewhere else?

     

    Thanks
    Lukasz

  • 3. Re: User lock out if there was too many failed attempts
    jaikiran pai Master
    jaikiran pai May 25, 2012 3:02 AM (in response to Lukasz Szymik)

    Lukasz Szymik wrote:

     

    Thank you for providing info how to do it. I will extend DatabaseServerLoginModule and probably LdapLoginModule as well. Should I put my classes in JBoss modules, application lib or somewhere else?

     

    Thanks
    Lukasz

    Starting 7.1.1.Final, you are allowed to package them in a module of your own and then use the "module" attribute of the login-module element in the security subsystem of standalone/domain.xml file.

     

    P.S: A user has recently reported that there might be a potential bug in this area where the correct module isn't being used for loading the loginmodule. We are investigating it, but if you too run into that issue, feel free to report it in the forums.