Thanks BJ, I have commented out the code in LoginServices.java. Thinking a bit deeper about the admin screen behaviour - why would admin only want to temporarily disable an account for 5 minutes?
BJ Freeman wrote: > > you can recode the re-activation service so if there is no date it will > not re-activate. > > > snowc sent the following on 9/5/2009 7:53 PM: >> In MHO, while not permanently disabling accounts for failed logins may be >> desirable, this behaviour is not desirable for the admin interface. The >> default for the admin interface should be to permanently disable the >> account. >> >> >> David E Jones wrote: >>> >>> The reason for this (which is configuration in the security.properties >>> file, BTW, and is documented in the production setup guide) is that >>> repeated login attempts usually cause an account to be disabled, but >>> people usually don't want permanent disabling because of the internal/ >>> customer service headaches. Enabling after five minutes (and telling >>> the user that will happen) still makes brute-force password guessing >>> attacks pretty much impossible, but gives the user a way to get back >>> in without making a phone call. >>> >>> -David >>> >>> >>> On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: >>> >>>> Wow, that did the trick. When I first saved the Enabled flag change >>>> to N, it automatically populated the disabled date, so I deleted >>>> this date and saved the change again. Now the disabled admin can no >>>> longer login. It looks like if you simply disable an account and >>>> leave the time stamp, it will automatically enable again in 5 >>>> minutes. I'm not sure why it does this, and I didn't see a way to >>>> change the end date for the disable so I'm going to inform my users >>>> to use this work around. >>>> >>>> Thank you for all of the help, >>>> Robert Volke >>>> >>>>>>> Bilgin Ibryam <[email protected]> 7/1/2008 3:53:22 PM >>> >>>> Hi Robert, >>>> >>>> try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. >>>> >>>> Bilgin >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>> >>> >> > > -- > BJ Freeman > http://www.businessesnetwork.com/automation > http://bjfreeman.elance.com > http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro > Systems Integrator. > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p25314413.html Sent from the OFBiz - User mailing list archive at Nabble.com.
