You should still be required to authenticate first to change your password (or at the same time as the change request is submitted), so you should be able to lock the account after 3 failures here too.
How is the data stored for password expiry times etc? [EMAIL PROTECTED] wrote: > Hi Gurus! > > How can I prevent a brute force attack on my password change jsp page? > > Background: > I've successfully secured a jsp/perl web application. > Thanks to all acegi developers for this fine piece of software! > > The login jsp page is protected against brute force by leveraging the > application event publishing features so the account is locked for 30 > minutes after three failed logins. > BTW I can't find any documentation for application event publishing in > the 1.0.0 manual. > > My question is how I can do something similar to prevent the password > change page? > > The password change page is open to role anonymous because when a new > user is entered in the system; password expired is set to a past date to > force the user to change the password the first time. > > Are there any best practices to handle changes of passwords? > > Regards > Gunnar > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
