When you capture a failed login attempt (like in your listener)... you will need to update (i.e. increment) your User's failed login attempts.
You would need some sort of user management service in your application.. basically the application code that does the (update user set login_attempt = ? where username = ?)
Again this will be application-specific.... you will need a login attempts column on your schema.
Then on the login attempt side.. you will need to translate that if the # of attempts is greater than some number... you will need to set the boolean value for account locked in the UserDetails implementation.
Basically capturing the event via the listener will be a way to UPDATE the user.. (i.e. the status or the number of login attempts)...
then the regular login process will get the login attempts or status and use it to determine if it is a locked account.
Cheers,
Mark
On 9/23/05, mannobug <[EMAIL PROTECTED]> wrote:
Hi all I red on the web site that it can be easy to lock an account when the
user set password wrong for n times. I define a listener that implements
ApplicationListener and capture the event AuthenticationFailurePasswordEvent.
Can someone give me a good advice to implement a secure way to memorize the
failure and attempt login and lock the user via DAO object? I just read
http://forum.springframework.org/viewtopic.php?t=8525 but i cannot find a god
implemetation.
Thanks.
Kind regards
mannobug
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
