tracking failed login attempts

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

tracking failed login attempts

Pieslak, Brian
I tried to get caught up on the account lockout discussions from the archives, but I never really saw a clear answer to what I'm trying to accomplish.
 
I need the ability to track failed login attempts.
I see in the login-webflow.xml where the "authenticationViaFormAction" bean is used for the authentication flow.
 
I'm thinking its possible to modify the "submit" action state to look like the following:
 
 <action-state id="submit">
  <action bean="authenticationViaFormAction" method="submit" />
  <transition on="warn" to="warn" />
  <transition on="success" to="sendTicketGrantingTicket" />
  <transition on="error" to="trackFailedLogin" />
 </action-state>
 <action-state id="trackFailedLogin">
  <action bean="trackFailedLoginAction" />
  <transition on="success" to="viewLoginForm" />
 </action-state>
  Where I'm inserting my own "trackFailedLogin" action-state, taking my action (which is successful) and then returning to the "viewLoginForm".   I also still need the loginForm to display the "Invalid Username Or Password" message.  
 
So 2 questions:
1.) Does this seem like a good approach, or should I be doing this another way?
2.) Will my comment about the loginForm knowing its in an error state work, or does the transition of my new action bean need to return "error" in order to keep the webflow in an error state?
 
Thanks for the help,
-Brian
 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

Re: tracking failed login attempts

Scott Battaglia-2
Brian,

What is your purpose for tracking failed login attempts?  Auditing?

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Fri, Apr 10, 2009 at 8:11 PM, Pieslak, Brian <[hidden email]> wrote:
I tried to get caught up on the account lockout discussions from the archives, but I never really saw a clear answer to what I'm trying to accomplish.
 
I need the ability to track failed login attempts.
I see in the login-webflow.xml where the "authenticationViaFormAction" bean is used for the authentication flow.
 
I'm thinking its possible to modify the "submit" action state to look like the following:
 
 <action-state id="submit">
  <action bean="authenticationViaFormAction" method="submit" />
  <transition on="warn" to="warn" />
  <transition on="success" to="sendTicketGrantingTicket" />
  <transition on="error" to="trackFailedLogin" />
 </action-state>
 <action-state id="trackFailedLogin">
  <action bean="trackFailedLoginAction" />
  <transition on="success" to="viewLoginForm" />
 </action-state>
  Where I'm inserting my own "trackFailedLogin" action-state, taking my action (which is successful) and then returning to the "viewLoginForm".   I also still need the loginForm to display the "Invalid Username Or Password" message.  
 
So 2 questions:
1.) Does this seem like a good approach, or should I be doing this another way?
2.) Will my comment about the loginForm knowing its in an error state work, or does the transition of my new action bean need to return "error" in order to keep the webflow in an error state?
 
Thanks for the help,
-Brian
 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

RE: tracking failed login attempts

Pieslak, Brian
Scott,
   Its for both auditing & account locking.
   I have a specific requirement for how the auditing & account locking are accomplished - both tables in a MySql database.
   I have a separate user management application that my customer support agents use where they can go in an unlock an account for a user before the lockout period expires, so that's the primary reason I need this data in the MySql database
 
   I have seen the ThrottleBy... classes discussed as ways of implementing account locking, and I'm not opposed to using that approach.  I'd just need to see if either my requirements can change or how I could persist that information to my MySql database.
 
-Brian

From: Scott Battaglia [[hidden email]]
Sent: Friday, April 10, 2009 11:50 PM
To: [hidden email]
Subject: Re: [cas-user] tracking failed login attempts

Brian,

What is your purpose for tracking failed login attempts?  Auditing?

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Fri, Apr 10, 2009 at 8:11 PM, Pieslak, Brian <[hidden email]> wrote:
I tried to get caught up on the account lockout discussions from the archives, but I never really saw a clear answer to what I'm trying to accomplish.
 
I need the ability to track failed login attempts.
I see in the login-webflow.xml where the "authenticationViaFormAction" bean is used for the authentication flow.
 
I'm thinking its possible to modify the "submit" action state to look like the following:
 
 <action-state id="submit">
  <action bean="authenticationViaFormAction" method="submit" />
  <transition on="warn" to="warn" />
  <transition on="success" to="sendTicketGrantingTicket" />
  <transition on="error" to="trackFailedLogin" />
 </action-state>
 <action-state id="trackFailedLogin">
  <action bean="trackFailedLoginAction" />
  <transition on="success" to="viewLoginForm" />
 </action-state>
  Where I'm inserting my own "trackFailedLogin" action-state, taking my action (which is successful) and then returning to the "viewLoginForm".   I also still need the loginForm to display the "Invalid Username Or Password" message.  
 
So 2 questions:
1.) Does this seem like a good approach, or should I be doing this another way?
2.) Will my comment about the loginForm knowing its in an error state work, or does the transition of my new action bean need to return "error" in order to keep the webflow in an error state?
 
Thanks for the help,
-Brian
 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

RE: tracking failed login attempts

Pieslak, Brian
In reply to this post by Scott Battaglia-2
I came up with a simpler solution that seems to be working for me, but it seems highly customized to my needs.
 
Rather than messing with login-webflow.xml, and I subclassed org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler to create my own JDBC authenticationHandler to handle my custom logic.
This allows me to add my additional queries to my jdbc authenticationHandler bean in deployerConfigContext.xml.
 
Its not elegant, but it does seem to be working just fine.
-Brian

From: Scott Battaglia [[hidden email]]
Sent: Friday, April 10, 2009 11:50 PM
To: [hidden email]
Subject: Re: [cas-user] tracking failed login attempts

Brian,

What is your purpose for tracking failed login attempts?  Auditing?

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Fri, Apr 10, 2009 at 8:11 PM, Pieslak, Brian <[hidden email]> wrote:
I tried to get caught up on the account lockout discussions from the archives, but I never really saw a clear answer to what I'm trying to accomplish.
 
I need the ability to track failed login attempts.
I see in the login-webflow.xml where the "authenticationViaFormAction" bean is used for the authentication flow.
 
I'm thinking its possible to modify the "submit" action state to look like the following:
 
 <action-state id="submit">
  <action bean="authenticationViaFormAction" method="submit" />
  <transition on="warn" to="warn" />
  <transition on="success" to="sendTicketGrantingTicket" />
  <transition on="error" to="trackFailedLogin" />
 </action-state>
 <action-state id="trackFailedLogin">
  <action bean="trackFailedLoginAction" />
  <transition on="success" to="viewLoginForm" />
 </action-state>
  Where I'm inserting my own "trackFailedLogin" action-state, taking my action (which is successful) and then returning to the "viewLoginForm".   I also still need the loginForm to display the "Invalid Username Or Password" message.  
 
So 2 questions:
1.) Does this seem like a good approach, or should I be doing this another way?
2.) Will my comment about the loginForm knowing its in an error state work, or does the transition of my new action bean need to return "error" in order to keep the webflow in an error state?
 
Thanks for the help,
-Brian
 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

RE: tracking failed login attempts

csquires
I think a custom authentication handler is probably the right way to do
this, given the plugin architecture. For example, if you are using
openLDAP as your authentication back end and you have the password
policy overlay in place, the back end database takes care of failed
login tracking etc.

Craig

On Sat, 2009-04-11 at 08:41 -0400, Pieslak, Brian wrote:

> I came up with a simpler solution that seems to be working for me, but
> it seems highly customized to my needs.
>  
> Rather than messing with login-webflow.xml, and I subclassed
> org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler to
> create my own JDBC authenticationHandler to handle my custom logic.
> This allows me to add my additional queries to my jdbc
> authenticationHandler bean in deployerConfigContext.xml.
>  
> Its not elegant, but it does seem to be working just fine.
> -Brian
>
> ______________________________________________________________________
> From: Scott Battaglia [[hidden email]]
> Sent: Friday, April 10, 2009 11:50 PM
> To: [hidden email]
> Subject: Re: [cas-user] tracking failed login attempts
>
>
> Brian,
>
> What is your purpose for tracking failed login attempts?  Auditing?
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Fri, Apr 10, 2009 at 8:11 PM, Pieslak, Brian <[hidden email]>
> wrote:
>         I tried to get caught up on the account lockout discussions
>         from the archives, but I never really saw a clear answer to
>         what I'm trying to accomplish.
>          
>         I need the ability to track failed login attempts.
>         I see in the login-webflow.xml where the
>         "authenticationViaFormAction" bean is used for the
>         authentication flow.
>          
>         I'm thinking its possible to modify the "submit" action state
>         to look like the following:
>          
>          <action-state id="submit">
>           <action bean="authenticationViaFormAction"
>         method="submit" />
>           <transition on="warn" to="warn" />
>           <transition on="success" to="sendTicketGrantingTicket" />
>           <transition on="error" to="trackFailedLogin" />
>          </action-state>
>        
>          <action-state id="trackFailedLogin">
>           <action bean="trackFailedLoginAction" />
>           <transition on="success" to="viewLoginForm" />
>          </action-state>
>        
>           Where I'm inserting my own "trackFailedLogin" action-state,
>         taking my action (which is successful) and then returning to
>         the "viewLoginForm".   I also still need the loginForm to
>         display the "Invalid Username Or Password" message.  
>          
>         So 2 questions:
>         1.) Does this seem like a good approach, or should I be doing
>         this another way?
>         2.)Will my comment about the loginForm knowing its in an error
>         state work, or does the transition of my new action bean need
>         to return "error" in order to keep the webflow in an error
>         state?
>          
>         Thanks for the help,
>         -Brian
>          
>        
>         --
>         You are currently subscribed to [hidden email] as: [hidden email]
>        
>        
>         To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [hidden email] as: [hidden email]
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply | Threaded
Open this post in threaded view
|

RE: tracking failed login attempts

amruta
This post has NOT been accepted by the mailing list yet.
In reply to this post by Pieslak, Brian
I would like to know how you implemented.
I don't know what I actually need to do to track details, it is new requirement raised by my organization.

Thanks,
Amruta