Go to new doc!

+49 228 5552576-0


info@predic8.com

accountBlocker

Description

Keeps track of blocked user accounts (accounts become blocked after too many failed logins).

Can be used in

spring:beans, login and oauth2authserver

Syntax

				<serviceProxy port="2000">
					<request>
						<log />
					</request>
					<target host="www.predic8.de" />		
				</serviceProxy>						
			
Listing 12: log Example

Sample

       <accountBlocker 
           afterFailedLogins="5"
           afterFailedLoginsWithin="9223372036854775807"
           blockFor="3600000" 
           blockWholeSystemAfter="1000000" />
			
Listing 12: accountBlocker Example

Attributes

Name Required Default Description Example
afterFailedLogins false -
afterFailedLoginsWithin false -
blockFor false -
blockWholeSystemAfter false -

Explanation

The Account Blocker prevents password and token guessing attempts: It blocks a user (or the whole system) after too many failed login attempts.

When a user entered a wrong password or wrong token more than afterFailedLogins times, this user becomes blocked: He will be prevented from logging in again within the next blockFor milliseconds (writing 3600000 means "for 1 hour").

The failed login attempts have to occur within the last afterFailedLoginsWithin milliseconds (writing 9223372036854775807 means "forever").

If more than blockWholeSystemAfter users become blocked at a time, the all users will become blocked. (This is necessary to limit memory usage.)

Discussion

Say, for example, a scripted dictionary attack tries to guess a user's password. Using the configuration shown above, which is the default configuration if no accountBlocker is declared, this results in 5 guesses per 3600000 milliseconds; or equivalently 42720 guesses per year.

The probability of hitting a uniformly at random chosen word of the standard German vocabulary within one year is therefore about 56%.

Therefore, a more secure password should be chosen, containing letters, digits and special characters.