[Dev] User's failed login attempts based adaptive authentication

2018-11-09 Thread Anuradha Karunarathna 
Hi,

I have developed a new adaptive authentication script considering the
number of failed login attempts of a user. Its basic scenario can be
explained as follows.

Let's consider a scenario where you want to prompt an additional level of
authentication for a user who has exceeded a specific number of continuous
failed login attempts. Also, you want to consider the all failed login
attempts of a user until a successful login attempt even that continuous
failed attempts are made in several days.

For that purpose,  'Failed Login Attempts' claim is used to keep track of
the number of failed login attempts of a user.  Since this number reset to
0 when a successful login happens, a new claim needs to be introduced to
store the number of failed login attempts just before a successful login
attempt. Here is the PR for that new claim[1
].

In order to update the number of failed login attempts, account locking
under login resident IDP's login policies needs to be enabled. Therefore,
'Failed Lockout Count claim' also considered when counting the number of
failed login attempts just before a success. The changes need to be done in
AccountLockHandler can be found here[2

].

Follow instructions in [3
]
to test this template with WSO2is-5.7.0.

The implemented script will be added as a default template under script
based adaptive authentication since it is a common use case.

-Script-

// This variable is used to define the number of invalid attempts allowed
before prompting the second factor
var invalidAttemptsToStepup = 3;

var failedLoginAttemptsBeforeSuccessClaim= '
http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess';

function onLoginRequest(context) {
doLogin(context);
}

function doLogin(context) {
  executeStep(1, {
onSuccess : function(context){
  var user = context.steps[1].subject;
  if (isExceedInvalidAttempts(user)) {
executeStep(2);
  }
},
onFail : function(context) {
  // Retry the login..
  doLogin(context);
}
  });
}

function isExceedInvalidAttempts(user) {
  if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >=
invalidAttemptsToStepup) {
return true;
  } else {
return false;
  }
}

[1]https://github.com/wso2/carbon-identity-framework/pull/1975
[2]
https://github.com/wso2-extensions/identity-event-handler-account-lock/pull/49
[3]
https://docs.google.com/document/d/1fHhLDnXtAJYcxx2rZinTF1-SCmZnhh98kFhUicibpFQ/edit?usp=sharing
*Anuradha Karunarathna*
Intern-Software Engineering | WSO2,inc.
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Increase DefaultCacheTimeout in carbon.xml

2018-11-09 Thread Ishara Cooray 
What are the effects if we increase DefaultCacheTimeout in carbon.xml?

What would be the heap size ramifications if we increase
DefaultCacheTimeoutthe value from 15 to 30?
To 60?

Thanks & Regards,
Ishara
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev