com.predic8.membrane.core.interceptor.authentication.session

Class AccountBlocker

java.lang.Object

com.predic8.membrane.core.config.AbstractXmlElement

com.predic8.membrane.core.interceptor.authentication.session.AccountBlocker

All Implemented Interfaces:

XMLElement, CleanupThread.Cleaner

public class AccountBlocker
extends AbstractXmlElement
implements CleanupThread.Cleaner

Description

Keeps track of blocked user accounts (accounts become blocked after too many failed logins).

Explanation

The Account Blocker prevents password and token guessing attempts: It blocks a user (or the whole system) after too many failed login attempts.

When a user entered a wrong password or wrong token more than afterFailedLogins times, this user becomes blocked: He will be prevented from logging in again within the next blockFor milliseconds (writing 3600000 means "for 1 hour").

The failed login attempts have to occur within the last afterFailedLoginsWithin milliseconds (writing 9223372036854775807 means "forever").

If more than blockWholeSystemAfter users become blocked at a time, the all users will become blocked. (This is necessary to limit memory usage.)

Discussion

Say, for example, a scripted dictionary attack tries to guess a user's password. Using the configuration shown above, which is the default configuration if no accountBlocker is declared, this results in 5 guesses per 3600000 milliseconds; or equivalently 42720 guesses per year.

The probability of hitting a uniformly at random chosen word of the standard German vocabulary within one year is therefore about 56%.

Therefore, a more secure password should be chosen, containing letters, digits and special characters.

Constructor Summary

Constructors

Constructor and Description
AccountBlocker()

Method Summary

Modifier and Type	Method and Description
void	cleanup()
boolean	fail(String username)
int	getAfterFailedLogins()
long	getAfterFailedLoginsWithin()
long	getBlockFor()
int	getBlockWholeSystemAfter()
boolean	isBlocked(String username)
protected void	parseAttributes(XMLStreamReader token)
void	setAfterFailedLogins(int afterFailedLogins)
void	setAfterFailedLoginsWithin(long afterFailedLoginsWithin)
void	setBlockFor(long blockFor)
void	setBlockWholeSystemAfter(int blockWholeSystemAfter)
void	unblock(String username)

Methods inherited from class com.predic8.membrane.core.config.AbstractXmlElement

doAfterParsing, getBoolean, getElementName, move2RootElementIfNeeded, parse, parseCharacters, parseChildren, toXml, write, writeIfNotNull

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AccountBlocker

public AccountBlocker()

Method Detail

parseAttributes

protected void parseAttributes(XMLStreamReader token)
                        throws Exception

Overrides:

parseAttributes in class AbstractXmlElement

Throws:

Exception

isBlocked

public boolean isBlocked(String username)

unblock

public void unblock(String username)

fail

public boolean fail(String username)

cleanup

public void cleanup()

Specified by:

cleanup in interface CleanupThread.Cleaner

getBlockWholeSystemAfter

public int getBlockWholeSystemAfter()

setBlockWholeSystemAfter

public void setBlockWholeSystemAfter(int blockWholeSystemAfter)

getAfterFailedLogins

public int getAfterFailedLogins()

setAfterFailedLogins

public void setAfterFailedLogins(int afterFailedLogins)

getAfterFailedLoginsWithin

public long getAfterFailedLoginsWithin()

setAfterFailedLoginsWithin

public void setAfterFailedLoginsWithin(long afterFailedLoginsWithin)

getBlockFor

public long getBlockFor()

setBlockFor

public void setBlockFor(long blockFor)