[
https://issues.apache.org/jira/browse/OAK-2159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160286#comment-14160286
]
angela commented on OAK-2159:
-----------------------------
One possible approach would be to provide a custom UserAuthenticationFactory
implementation implementation that defines the details and configuration
parameters (e.g. of number failed login attempts). afaik currently this factory
cannot be plugged using osgi but that should be feasible if needed.
The custom UserAuthentication implementation could then keep track of the
number of failed attempts or cleanup the counter in case of success. Note
however that this may come with severe performance issues if this information
is always written to the repository (e.g. using the recently introduced and
protected rep:pwd node) and that it will not work for the admin user as the
latter cannot be disabled.
> Introduce Account locking after a number of unsuccessful login attempts is
> reached
> -----------------------------------------------------------------------------------
>
> Key: OAK-2159
> URL: https://issues.apache.org/jira/browse/OAK-2159
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Reporter: Silviu Repciuc
>
> There are various security standards that require a system to limit the
> number of unsuccessful login attempts for a user.
> This would require configuration to enable this feature and set the number of
> login attempts.
> Every unsuccessful login attempt for an existing user would increment the
> login attempt counter for the user and when the maximum is reached the
> account is disabled.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
