You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Bron <br...@lucidbay.com> on 2012/10/17 16:35:27 UTC

Failed attempt lockouts

I am trying to make the case for Shiro over Tomcat container managed
security, but one feature I can't find in Shiro out of the box is the
ability to set up failed attempt lockouts.

in Tomcat it done by simply wrapping the main security realm in a
LockOutRealm:

<Realm className="org.apache.catalina.realm.LockOutRealm" lockOutTime="1800"
failureCount="6">
   <Realm  className="org.apache.catalina.realm.JDBCRealm"... />
</Realm>

I have not seen a way to implement equivalent functionality via Shiro.ini. 
This statement from the docs: "Shiro's out-of-the-box SessionManager
implementations are highly customizable and configurable and will suit most
needs."  Makes me believe this sort of thing is possible, I just have not
found where to do this type of customization. 



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Failed-attempt-lockouts-tp7577882.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Failed attempt lockouts

Posted by Les Hazlewood <lh...@apache.org>.

This is not something built-in to Shiro directly at the moment - most
people do this logic in their Realm's getAuthenticationInfo (and
perhaps use an AuthenticationListener to update the failed attempt
count).

Part of the reason this isn't in Shiro is that this implies state
management that typically needs to update a data store (i.e. attempt 1
failed -> update the data store to record this).

Other than maybe utilizing a Cache, Shiro doesn't have many data store
write capabilities.  If Shiro did use a Cache, and the lock record
gets expunged (as caches are prone to do), then the lock status
wouldn't be valid and security conditions might not be met.

That being said, I'm personally very open to suggestions on how this
might be accomplished if people want this feature - maybe create a
LoginAttemptStore that Shiro could use and you could plug in
implementations based on the store you wish to use?  If you have any
ideas, please open a Jira issue and/or discuss on the dev list!

Best,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Wed, Oct 17, 2012 at 7:35 AM, Bron <br...@lucidbay.com> wrote:
> I am trying to make the case for Shiro over Tomcat container managed
> security, but one feature I can't find in Shiro out of the box is the
> ability to set up failed attempt lockouts.
>
> in Tomcat it done by simply wrapping the main security realm in a
> LockOutRealm:
>
> <Realm className="org.apache.catalina.realm.LockOutRealm" lockOutTime="1800"
> failureCount="6">
>    <Realm  className="org.apache.catalina.realm.JDBCRealm"... />
> </Realm>
>
> I have not seen a way to implement equivalent functionality via Shiro.ini.
> This statement from the docs: "Shiro's out-of-the-box SessionManager
> implementations are highly customizable and configurable and will suit most
> needs."  Makes me believe this sort of thing is possible, I just have not
> found where to do this type of customization.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Failed-attempt-lockouts-tp7577882.html
> Sent from the Shiro User mailing list archive at Nabble.com.