Implemented in 4.4

 

Official Documentation Available

This topic is now covered in Automatic lockout.

Goal

  • Make account unaccessible after number of failed login attempts
  • Let admin set number of max attempts (default 5?)

Solutions

a) Modify User interface and JCRAuthenticationModule

  • after each failed attempt increase int number
  • save this value as node data
  • if reaches max value then lock
  • after success login null value

b) Implement in login filter

  • check user from http request and login result status
  • check for user "repetition"

Actuall lockout

Hard lock - use existing method to disable account until is enabled again by admin.

Time lock - implement lock based on time period before account is enabled again with possibility to null this and make account accessible immediately (in edit user dialog probably)

  • No labels

1 Comment

  1. Philipp Bärfuss

    Few notes:

    • What do we do if users are configured in the LDAP (we cannot write the counter)
      • should we use an in memory counter
    • reset the counter after a certain time or successful login