Hi Jason, I've already done this for the login page, but I don't know how to do it for my change password page.
Regards Gunnar > -----Ursprungligt meddelande----- > Från: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > För [EMAIL PROTECTED] > Skickat: den 4 oktober 2006 14:19 > Till: [email protected] > Ämne: Re: [Acegisecurity-developer] How to prevent brute force attack > > In familiar implementations, we've implemented the acegi > UserDetailsService object to translate user information drawn > from the application's database into a compatible > Authentication object. This gives us the opportunity to set > the user's access flags based on our business rules (such as > determining password expiry). > > Additionally, acegi will drop an event on spring when > authentication succeeds or fails. The failure message will > include the exception detailing the authentication failure. > You can use this to determine what the conditions of the > authentication attempt were and take action accordingly (such > as locking the user after a number of bad password attempts) > > -jason > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 8:12 AM > To: [email protected] > Subject: Re: [Acegisecurity-developer] How to prevent brute > force attack > > Hi Luke! > > Answers inline. > > Regards > Gunnar > > > -----Ursprungligt meddelande----- > > Från: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > För Luke Taylor > > Skickat: den 4 oktober 2006 13:42 > > Till: [email protected] > > Ämne: Re: [Acegisecurity-developer] How to prevent brute > force attack > > > > You should still be required to authenticate first to change your > > password (or at the same time as the change request is > submitted), so > > you should be able to lock the account after 3 failures here too. > > Can you explain more how I should do that? > > > How is the data stored for password expiry times etc? > > The expiry time is stored in a sybase database. > I've created a new JdbcDaoImpl to add some more data to the > UserDetails object. > > > > > > [EMAIL PROTECTED] wrote: > > > Hi Gurus! > > > > > > How can I prevent a brute force attack on my password > > change jsp page? > > > > > > Background: > > > I've successfully secured a jsp/perl web application. > > > Thanks to all acegi developers for this fine piece of software! > > > > > > The login jsp page is protected against brute force by > > leveraging the > > > application event publishing features so the account is > > locked for 30 > > > minutes after three failed logins. > > > BTW I can't find any documentation for application event > > publishing in > > > the 1.0.0 manual. > > > > > > My question is how I can do something similar to prevent > > the password > > > change page? > > > > > > The password change page is open to role anonymous because > > when a new > > > user is entered in the system; password expired is set to a > > past date > > > to force the user to change the password the first time. > > > > > > Are there any best practices to handle changes of passwords? > > > > > > Regards > > > Gunnar > > > > > > > > > -- > > Luke Taylor. Monkey Machine Ltd. > > PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk > > > > > > -------------------------------------------------------------- > > ----------- > > Take Surveys. Earn Cash. Influence the Future of IT Join > > SourceForge.net's Techsay panel and you'll get the chance to share > > your opinions on IT & business topics through brief surveys -- and > > earn cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > > _______________________________________________ > > Home: http://acegisecurity.org > > Acegisecurity-developer mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge &CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge &CID=DEVDEV > _______________________________________________ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
