Form Based Authentication Retries in JAVA Web Application

Question

How can a maximum number of login retries be specified when using form based authentication in a java web application?

Answer 1

You would need a custom realm implementation that would support this feature. The actual authentication is managed by a realm that is configured to work with your application (a FileRealm, LDAPRealm, JDBCRealm -- these are only conceptual examples, not normative for JBoss).

By default, the typical ones out of the box do not support a retry lock out behavior.

So, you'd have to create your own.

Realms are containers specific. A realm for JBoss likely won't work on Glassfish or Tomcat, for example. That said, they're all pretty simple.

You could probably easily get started by copying a JDBC based realm implementation for JBoss and add some logic for the retry check. The realm code would be fairly straightforward. You'd still need external logic to do things like reset the lock, sends alerts when the lock is detected, etc.

But the nut of it is, you need a custom realm to pull this off.

Answer 2

From the scenario you explained,you can use a counter to keep track of number of login attempts,you can capture client ip / location to apply specific restrictions. There could be two failed cases. 1. Invalid Login id 2. Incorrect password

Case 1 : Invalid Login id If the login id is invalid , you can ask the user to enter correct id, many times as you want or upto 5/8 attempts just to make sure no one trying to hack through a programming construct.

Case 2 : Incorrect password If the login id is valid ,and password entered is incorrect, as an average you should allow the user to enter upto 3 times and then redirect the user to a secure question mode or CAPTCHA mode or password change mode

Anyway most of the log in system implemented through DB , even you use any encryption mechanism, but make sure your log is tracked to analyze hacking attempts.