Hi Luke! Answers inline. Regards Gunnar
> -----Ursprungligt meddelande----- > Från: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > För Luke Taylor > Skickat: den 4 oktober 2006 13:42 > Till: [email protected] > Ämne: Re: [Acegisecurity-developer] How to prevent brute force attack > > You should still be required to authenticate first to change > your password (or at the same time as the change request is > submitted), so you should be able to lock the account after 3 > failures here too. Can you explain more how I should do that? > How is the data stored for password expiry times etc? The expiry time is stored in a sybase database. I've created a new JdbcDaoImpl to add some more data to the UserDetails object. > > [EMAIL PROTECTED] wrote: > > Hi Gurus! > > > > How can I prevent a brute force attack on my password > change jsp page? > > > > Background: > > I've successfully secured a jsp/perl web application. > > Thanks to all acegi developers for this fine piece of software! > > > > The login jsp page is protected against brute force by > leveraging the > > application event publishing features so the account is > locked for 30 > > minutes after three failed logins. > > BTW I can't find any documentation for application event > publishing in > > the 1.0.0 manual. > > > > My question is how I can do something similar to prevent > the password > > change page? > > > > The password change page is open to role anonymous because > when a new > > user is entered in the system; password expired is set to a > past date > > to force the user to change the password the first time. > > > > Are there any best practices to handle changes of passwords? > > > > Regards > > Gunnar > > > > > -- > Luke Taylor. Monkey Machine Ltd. > PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk > > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge &CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
