This sounds like a bug. Can you please enter it in JIRA?
Thanks,
Matt
On 12/1/06, kkus <[EMAIL PROTECTED]> wrote:
Thanks, Matt. I still found a tiny i18n bug in login.js as below,
function passwordHint() {
if ($("j_username").value.length == 0) {
alert("The <fmt:message key="label.username"/> field must be
filled in to get a password hint sent to you.");
We need use <fmt.message> only in alert otherwise it will cause i18n issue.
Matt Raible-3 wrote:
>
> The commented out <c:out> gives you the exact error message. The
> reason we don't use it is because we don't want to tell users that
> they have an invalid username (or password). A generic
> "authentication failed" message is generally better from a security
> standpoint.
>
> Matt
>
> On 11/30/06, kkus <[EMAIL PROTECTED]> wrote:
>>
>> Now I am implementing account lock feature. I can find message generated
>> from
>> Acegi as below after I failed to login 3 times,
>>
>> [appfuse] WARN [http-8080-Processor25]
>> LoggerListener.onApplicationEvent(55)
>> | Authentication event AuthenticationFailureLockedEvent: a; details:
>> [EMAIL PROTECTED]: RemoteIpAddress:
>> 127.0.0.1;
>> SessionId: A05D31E26DA6DECF3285B187876D3394; exception: User account is
>> locked
>>
>> But in LoginForm.jsp there is an error message check as below.
>>
>> <c:if test="${param.error != null}">
>> <li class="error">
>> <c:url value= "
>> alt="<fmt:message key="icon.warning"/>" class="icon" />
>> <fmt:message key="errors.password.mismatch"/>
>> <!--<c:out
>> value="${sessionScope.ACEGI_SECURITY_LAST_EXCEPTION.message}"/>-->
>> </li>
>> </c:if>
>>
>> This error check always shows me password mismatch even though my account
>> is
>> locked. So I need a mechanism to tell if it is a password mismatch or
>> account locked. param.error always return value true in these two cases,
>> obviously I can't rely on it. Do you know any param settings which I can
>> use
>> for this purpose? Thanks!
>>
>>
>> Matt Raible-3 wrote:
>> >
>> > I don't see a problem with this solution if it works. That's the most
>> > important thing after all. ;-)
>> >
>> > Matt
>> >
>> > On 11/30/06, kkus <[EMAIL PROTECTED]> wrote:
>> >>
>> >> In that listner, what is general problem if I provide a HashMap to
>> store
>> >> username and login count when login fails, and clear HashMap for that
>> >> user
>> >> when login suceeds? Thanks!
>> >>
>> >>
>> >> Matt Raible-3 wrote:
>> >> >
>> >> > If believe Acegi allows you to control this, but unfortunately, I
>> >> > don't know the configuration settings.
>> >> >
>> >> > Matt
>> >> >
>> >> > On 11/30/06, kkus <[EMAIL PROTECTED]> wrote:
>> >> >>
>> >> >> I went to acegi forum about this issue and found it seems we have
>> to
>> >> >> create a
>> >> >> field in db to store attempted tries of failing login - mainly
>> since
>> >> at
>> >> >> that
>> >> >> point we don't have any session yet.
>> >> >>
>> >> >> I am wondering if there is another way to keep record of failing
>> >> login.
>> >> >> Sample code which I have done is as below,
>> >> >>
>> >> >> public class ApplicationSecurityListener implements
>> >> ApplicationListener {
>> >> >>
>> >> >> public void onApplicationEvent(ApplicationEvent event) {
>> >> >> if (event instanceof AuthorizationFailureEvent) {
>> >> >> AuthorizationFailureEvent
>> >> >> authorizationFailureEvent =
>> >> >> (AuthorizationFailureEvent) event;
>> >> >> //need a way to record counts of login here - don't
>> >> want
>> >> >> store it in db
>> >> >>
>> >> >> Any idea?
>> >> >> --
>> >> >> View this message in context:
>> >> >>
>> >>
>>
http://www.nabble.com/locking-account-afer-several-tries-of-login-tf2735347s2369.html#a7630999
>> >> >> Sent from the AppFuse - User mailing list archive at Nabble.com.
>> >> >>
>> >> >>
>> ---------------------------------------------------------------------
>> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >> >> For additional commands, e-mail: [EMAIL PROTECTED]
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > http://raibledesigns.com
>> >> >
>> >> >
>> ---------------------------------------------------------------------
>> >> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >> > For additional commands, e-mail: [EMAIL PROTECTED]
>> >> >
>> >> >
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >>
>>
http://www.nabble.com/locking-account-afer-several-tries-of-login-tf2735347s2369.html#a7632633
>> >> Sent from the AppFuse - User mailing list archive at Nabble.com.
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >> For additional commands, e-mail: [EMAIL PROTECTED]
>> >>
>> >>
>> >
>> >
>> > --
>> > http://raibledesigns.com
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > For additional commands, e-mail: [EMAIL PROTECTED]
>> >
>> >
>> >
>>
>> --
>> View this message in context:
>>
http://www.nabble.com/locking-account-afer-several-tries-of-login-tf2735347s2369.html#a7633514
>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
> --
> http://raibledesigns.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/locking-account-afer-several-tries-of-login-tf2735347s2369.html#a7639315
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
http://raibledesigns.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
