shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: Failed attempt lockouts
Date Wed, 17 Oct 2012 18:39:24 GMT
This is not something built-in to Shiro directly at the moment - most
people do this logic in their Realm's getAuthenticationInfo (and
perhaps use an AuthenticationListener to update the failed attempt
count).

Part of the reason this isn't in Shiro is that this implies state
management that typically needs to update a data store (i.e. attempt 1
failed -> update the data store to record this).

Other than maybe utilizing a Cache, Shiro doesn't have many data store
write capabilities.  If Shiro did use a Cache, and the lock record
gets expunged (as caches are prone to do), then the lock status
wouldn't be valid and security conditions might not be met.

That being said, I'm personally very open to suggestions on how this
might be accomplished if people want this feature - maybe create a
LoginAttemptStore that Shiro could use and you could plug in
implementations based on the store you wish to use?  If you have any
ideas, please open a Jira issue and/or discuss on the dev list!

Best,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk


On Wed, Oct 17, 2012 at 7:35 AM, Bron <bron@lucidbay.com> wrote:
> I am trying to make the case for Shiro over Tomcat container managed
> security, but one feature I can't find in Shiro out of the box is the
> ability to set up failed attempt lockouts.
>
> in Tomcat it done by simply wrapping the main security realm in a
> LockOutRealm:
>
> <Realm className="org.apache.catalina.realm.LockOutRealm" lockOutTime="1800"
> failureCount="6">
>    <Realm  className="org.apache.catalina.realm.JDBCRealm"... />
> </Realm>
>
> I have not seen a way to implement equivalent functionality via Shiro.ini.
> This statement from the docs: "Shiro's out-of-the-box SessionManager
> implementations are highly customizable and configurable and will suit most
> needs."  Makes me believe this sort of thing is possible, I just have not
> found where to do this type of customization.
>
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Failed-attempt-lockouts-tp7577882.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Mime
View raw message