Hello Jan-Wijbrand, Thinking this further, resource requests will have a '/@@/' (usually) in their URL. So it might be an idea to skip those requests from counting.
Tuesday, January 19, 2010, 10:43:43 AM, you wrote: JWK> Adam GROSZER <[email protected]> wrote: JWK> Thank you for your reply! >> Right. Well right now the lame solution is to try to count the number >> of resources needed to load the page and multiply maxFailedAttempts by >> that number. >> Other than that you _will_ want to offload resources in production. JWK> Oh, sure in _production_ I will. But what about testing and development. And JWK> counting the number of resources is highly unpredictable - esp. as I'm working JWK> on applications that can be easily skinned for different clients. >> (An other idea could be to try to identify requests that are not for >> resources, but how?) JWK> There's no real way as far as I can tell :| JWK> Even worse, if Zope were to handle one or more login page requisites, you can JWK> easily get database write conflicts as multiple "simultaneous" requests will try JWK> to increase the failed login attempts counter on the internal principal object. JWK> Can I conclude this particular feature of z3c.password is not really in use by JWK> anyone else (at least not in combination with the SessionCredentialsPlugin)? JWK> regards, JWK> jw >> Tuesday, January 19, 2010, 12:16:38 AM, you wrote: >>>> Betreff: [Zope-dev] z3c.password and "failedAttempts" >>>> andSessionCredentialsPlugin >>>> >>>> Hi, >>>> >>>> I'm looking into integrating z3c.password into an application >>>> that also uses the PAU with the principal folder, >>>> InternalPrincipals and the SessionCredentialsPlugin. >>>> >>>> One of the features of z3c.password that I'd like to use is >>>> locking out an user account after a number of failed login attempts. >>>> z3c.password provides such a feature. >>>> >>>> However, it seems this feature does not play well with the >>>> SessionCredentialsPlugin: >>>> >>>> The SessionCredentials will store the login and password that >>>> were submitted through the login form in a session. This >>>> login/password combination then is checked against the >>>> internal principal stored in the principal folder. >>>> >>>> If the password is correct then (obviously) everything is fine. >>>> >>>> When the password is incorrect, the user is directed back to >>>> the login form as authentication failed. If the page with the >>>> login form retrieves resources (like images or css of >>>> javascript files) and since the zopepublication will _try_ to >>>> authenticate every request, the wrongful login/password >>>> combination is checked multiple times for that page and its >>>> resources against the internal principal object. >>>> >>>> The internal principal mixin of z3c.password will count the >>>> number of failed checks. If you tell it to lock out an user >>>> after, say, three failed attempts, you have a problem, as the >>>> number of login page resources (thus requests) will quite >>>> easily outnumber the maximum number of attempts. >>>> >>>> Questions: is anyone using this feature of z3c.password in >>>> combination with the SessionCredentialsPlugin? If this is >>>> working for you, do you have any idea what I am doing wrong >>>> here? What type of authentication are the authors of >>>> z3c.password using? >> >> R> Probably Adam can tell you more about that. >> >> R> One solution could be to offload your resources and >> R> deliver them from Apache or Nginx Frontend. >> >> R> Regards >> R> Roger Ineichen >> >>>> Thanks for any insight here. >>>> regards, >>>> jw >>>> >>>> >>>> >>>> _______________________________________________ >>>> Zope-Dev maillist - [email protected] >>>> https://mail.zope.org/mailman/listinfo/zope-dev >>>> ** No cross posts or HTML encoding! ** (Related lists - >>>> https://mail.zope.org/mailman/listinfo/zope-announce >>>> https://mail.zope.org/mailman/listinfo/zope ) >>>> >> >> R> _______________________________________________ >> R> Zope-Dev maillist - [email protected] >> R> https://mail.zope.org/mailman/listinfo/zope-dev >> R> ** No cross posts or HTML encoding! ** >> R> (Related lists - >> R> https://mail.zope.org/mailman/listinfo/zope-announce >> R> https://mail.zope.org/mailman/listinfo/zope ) >> >> -- >> Best regards, >> Adam GROSZER mailto:[email protected] >> JWK> _______________________________________________ JWK> Zope-Dev maillist - [email protected] JWK> https://mail.zope.org/mailman/listinfo/zope-dev JWK> ** No cross posts or HTML encoding! ** JWK> (Related lists - JWK> https://mail.zope.org/mailman/listinfo/zope-announce JWK> https://mail.zope.org/mailman/listinfo/zope ) -- Best regards, Adam GROSZER mailto:[email protected] -- Quote of the day: Words are the voice of the heart. _______________________________________________ Zope-Dev maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
