ExcessiveAttemptsException - How to configure

Good Afternoon, I am up and running with Shiro (Spring Web App using the Vaadin framework), so all is good. Thank you all for the effort. So on to my question! Basically I want to lock a User in my Application if they have tried to sign on a number of times and keep getting the password wrong. I notice there is a ExcessiveAttemptsException class and the javadoc says:

Thrown when a system is configured to only allow a certain number of authentication attempts over a period of time and the current session has failed to authenticate successfully within that number. 

So that sounds like what I want to catch and handle (in my case the handling would update a field on a User database row to indicate the Users login was now disabled). But where is this Excessive Attempts configured - or is this an exception I would have to build and throw? If so how would I know how many times the Subject\User tried to logon? Anyway - hopefully this question isn't too stupid! Cheers Mat

Hi UncleTupelo,
   
    I had a project which is pretty much resembles to what you are in right now. What I did is on every log in attempt, a counter is being incremented and saved into the users table, the same table where I saved username and password (my application really demands it - the number of attempts allowed does not exceed even using time interval and multiple machine for log-in just like an ATM machine). So, in every validation of username and password, number of attempts is also regarded and checked. If the max number attempt is reached, the account is automatically disabled, thus, a message is prompt to the user who tries to log-in. Since my custom realm calls the validation process, its there where I throw new Account-Locked-Exception.

hope this helps.

Hi Mat,

Nice to hear you're using Shiro with Vaadin - I too have a project
where I'm using both of these frameworks together, and I'm really
enjoying this combination :)

Anyway, that exception exists but it is not thrown/managed at any
point by Shiro.  It is there for your use as a convenience so you
don't have to create your own Exception class if you don't want to.
You would need to instantiate and throw it in your Realm's
doGetAuthenticationInfo method when appropriate.  The reason Shiro
can't do this automatically is that this type of logic (lock account
after a certain number of times in a certain number of minutes) is
usually entirely dependent upon your application's User data model.

There are a few ways to do this, but here are the most common 2 that I've seen:

1) Store 3 additional columns in your User table:
loginPeriodStartTimestamp, lastLoginAttemptTimestamp and
loginAttemptCount.  Based on what you configure the login period to be
before accounts are locked (5 minutes?), you can increment the login
attempt count.  If that number ever becomes greater than what your
system deems is allowed (3 tries?), then you would manually throw the
ExcessiveAttemptsException.  Then your login controller can react to
that and show an appropriate GUI message.

2)  An even easier approach than #1, but which requires more disk
storage, is to keep an event log of every login attempt. This is very
simple - you enter an event into the event log for each login attempt
with the timestamp the event occurred and the status of whether or not
the login failed for that user.  Then, determining if the account
should be locked upon login is a very simple exercise - you query your
event log to count all failed attempts for that user where the event
timestamp is newer than (now - login period).  If you receive any
count greater than your configured number (say, 3), then you throw the
exception.

Again, this is very application data-model specific, but that should
give you some ideas.

HTH,

Les

On Mon, Feb 8, 2010 at 10:17 AM, UncleTupelo <[hidden email]> wrote:

Cheers Gents,

That is fine - I just needed confirmation that there wasn't somewhere in Shiro I could magically stipulate the number of attempts allowed!

Les - I have an an Audit Event Table that would match the Point 2 perfectly.  Had almost forgotten about it until I read your response.

Thanks for the prompt responses.  Really is appreciated.

Dear Lez,

I read you successfully integrated Vaadin with Shiro and I am interested how you achieved this.

I am just looking into Shiro, since my own authorization framework is not scalable enough and I could not find any good implementation for Vaadin (e.g., the appfoundation framework has too much overhead which I do not use, and spring security is too rigid in my opinion).

Do you have some information or a proof of concept available that can guide me to integrate both technologies? I have been referred to Shiro by one of the maven authors and would love to give it a chance!

Best regards,
Johannes