One type of account locking scenario is Account locking by failed login attempts
Be default configurations related to Account locking based on failed attempts are global to all the users in the Identity Server.(i.e. Global to all the user stores)
Configuration parameters in the
<IS_HOME>/repository/conf/identity/identity-mgt.properties
file.
Configuration
|
Description
|
---|---|
Authentication.Policy.Enable=true
|
This enables the authentication flow level which checks for the account lock and one time password features. This property must be enabled for the account lock feature to work.
|
Authentication.Policy.Account.Lock.On.Failure=true
|
This enables locking the account when authentication fails.
|
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
| This indicates the number of consecutive attempts that a user can try to log in without the account getting locked. In this case, if the login fails twice, the account is locked. |
Authentication.Policy.Account.Lock.Time=5
|
The time specified here is in minutes. In this case, the account is locked for five minutes and authentication can be attempted once this time has passed.
|
Let's say there is a use case to maintain these configurations per user store.
Example scenario would be,
- There are two user stores configured with WSO@IS-5.1.0 instance.
- Primary user store with default name "PRIMARY"
- A secondary user store with name "TEST"
- For both user stores we need different configuration parameter values
- PRIMARY user Store
- Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
- Authentication.Policy.Account.Lock.Time=5
- TEST user store
- Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=5
- Authentication.Policy.Account.Lock.Time=3
WSO2 Identity Server doesn't support this custom configuration by default.We need to write a custom User Operations Event Listener in order to achieve this.
One approach is to extend org.wso2.carbon.identity.mgt.IdentityMgtEventListener| and override it's methods to check particular values based on the UserStore Domain.
I have written a sample user operation event listener with this approach and overridden only two methods doPreAuthenticate and doPostAuthenticate.
I have implemented a CustomIdentityMgtConfig to hold configurations and used them accordingly to retrieve user store specific configuration values.(Go through the code to get a better understanding)
Once the custom user operation event listener(org.wso2.carbon.sample.user.operation.event.listener.CustomIdentityMgtEventListener) is implemented you can enable it in the place of org.wso2.carbon.identity.mgt.IdentityMgtEventListener in $IS_HOME/repository/conf/identity/identity.xml.
Copy the built org.wso2.carbon.sample.user.operation.event.listener-1.0.0.jar to $IS_HOME/repository/components/dropins and restart the server.
To achieve full functionality we may need to override other methods as well.
No comments:
Post a Comment