We have a requirement to lock the account after a number
of failed logins.
I was not able to locate this feature in ACEGI, so I have
been working on adding it to our code.
I believe that the place for this would be in the
ExceptionTranslationFilter because that is where
AuthenticationFailureExceptions are handled.
The following (edited) code implements the exception halding:
private void handleException(ServletRequest request, ServletResponse
response, FilterChain chain, {
if (exception instanceof AuthenticationException) {
sendStartAuthentication(request, response, chain,
(AuthenticationException) exception);
} else if (exception instanceof AccessDeniedException) {
if
(authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication()))
{
sendStartAuthentication(request, response, chain, new
InsufficientAuthenticationException("");
} else {
accessDeniedHandler.handle(request, response,
(AccessDeniedException) exception)
}
}
I created a subclass that overrides sendStartAuthentication
to check for the count of failed authentications and lock the
account if the count exceeds the limit.
This seems to be working ok, however, this might be slightly
simpler to do if the AuthenticationException had its own
handler interface, like the accessDeniedHandler.
call it the authentcationFailedHandler.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
