org.apache.geronimo.security.realm.providers
Class RepeatedFailureLockoutLoginModule

java.lang.Object
  org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule

All Implemented Interfaces:

LoginModule

public class RepeatedFailureLockoutLoginModule
extends Object
implements LoginModule

Tracks the number of recent login failures for each user, and starts rejecting login attemps if the number of failures in a certain period for a particular user gets too high. The period, number of failures, and lockout duration are configurable, but default to 5 failures in 5 minutes cause all subsequent attemps to fail for 30 minutes. This module does not write any Principals into the Subject. To enable this login module, set your primary login module and any other login modules to REQUIRED or OPTIONAL, and list this module in last place, set to REQUISITE. The parameters used by this module are:

• failureCount - The number of failures to allow before subsequent login attempts automatically fail
• failurePeriodSecs - The window of time the failures must occur in in order to cause the lockout
• lockoutDurationSecs - The duration of a lockout caused by exceeding the failureCount in failurePeriodSecs.

This login module does not check credentials so it should never be able to cause a login to succeed. Therefore the lifecycle methods must return false to indicate success or throw a LoginException to indicate failure.

Field Summary

static String	FAILURE_COUNT_OPTION
static String	FAILURE_PERIOD_OPTION
static String	LOCKOUT_DURATION_OPTION
static List<String>	supportedOptions

Constructor Summary

RepeatedFailureLockoutLoginModule()

Method Summary

boolean	abort() Notes that (and when) a login failure occured, used to calculate whether the user should be locked out.
boolean	commit() This module does nothing if a login succeeds.
void	initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) Reads the configuration settings for this module.
boolean	login() Checks whether the user should be or has been locked out.
boolean	logout() This module does nothing on a logout.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

FAILURE_COUNT_OPTION

public static final String FAILURE_COUNT_OPTION

See Also:

Constant Field Values

FAILURE_PERIOD_OPTION

public static final String FAILURE_PERIOD_OPTION

See Also:

Constant Field Values

LOCKOUT_DURATION_OPTION

public static final String LOCKOUT_DURATION_OPTION

See Also:

Constant Field Values

supportedOptions

public static final List<String> supportedOptions

Constructor Detail

RepeatedFailureLockoutLoginModule

public RepeatedFailureLockoutLoginModule()

Method Detail

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map sharedState,
                       Map options)

Reads the configuration settings for this module.

Specified by:

initialize in interface LoginModule

login

public boolean login()
              throws LoginException

Checks whether the user should be or has been locked out.

Specified by:

login in interface LoginModule

Throws:

LoginException

commit

public boolean commit()
               throws LoginException

This module does nothing if a login succeeds.

Specified by:

commit in interface LoginModule

Throws:

LoginException

abort

public boolean abort()
              throws LoginException

Notes that (and when) a login failure occured, used to calculate whether the user should be locked out.

Specified by:

abort in interface LoginModule

Throws:

LoginException

logout

public boolean logout()
               throws LoginException

This module does nothing on a logout.

Specified by:

logout in interface LoginModule

Throws:

LoginException