JBoss form based authentication with account lockout

Question

My application is using Form based authentication and JBoss 5 as application server. I want to add an account lockout mechanism to the applicaton. Does JBoss form based authentication support account lockout? If yes, how do I configure it. If no, what is the best solution without changing the existing functionality much?

I have searched quite a bit on the web, but could not find answer to this.

Any suggestions would be a great help.

Thanks, jayash

Answer 1

I am not aware of an "out-of-the-box" solution, but there is always the possibility to write a custom login module.

So have a look at the source of the DatabaseServerLoginModule: You could extend it to support a lockout.

• Add a flag in the database which indicates that the last verificatoin was not successful
• Count and store the number of subsequent login failures in the database for a given user ID
• Reset the counter and the flag, if there is a successful verification
• But if the counter reaches a limit, the password verification always returns false, and the flag/counter are not reset.

So you can configure the front end to have account lockout: You just declare it to use form-based authentication. But you have to add some pages to maintain the accounts which are locked (you already have this or need this anyway).