Hi devs.

 I noticed that the recent 11.6.x series have introduced a way to deal with attempts to guess a users password by introducing a strategy to handle repeated login failures. I should have payed attention before this was published because I have been implementing something similar because of several user requests.

 Anyway, my alternative solution has been finished in parallel, and I wonder if there is any interest of hosting this as a contrib project.

The implementation differs in the following details:

 - it does not use the new AuthenticationFailureEvents and the introduced component API, instead it implements its own XWikiAuthService
 - this means it works for 10.x, too (which my users are mostly running)
 - otoh it does not work with e.g. the LDAPAuthenticator
 - it also allows to block IPs (not that I care much about, but some people want this)  - it unblocks the user after a given time frame without having an Admin to intervene

I guess I can migrate at least most of it into the new AuthenticationFailureStrategy to have a showcase for a different implementation, but for now it is a separate and already slightly outdated implementation.

I think I will upload the results to e.x.o anyway (with a big note that this is superseded since XWiki 11.6), but is there any interest of hosting this as an xwiki-contrib project, maybe with the name 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and maybe even a Jira project like 'BLOCKINGAUTH' ?

Best,
Clemens

Reply via email to