Im working on a project that has an implementation of JOSSO in place.
We are using JOSSO version 1.8.5.
The requirement is to lock users out of the system after 3 failed login attempts.
Does anyone know how / if this can be done with JOSSO, I've looked through the documentation but can't find any references to this kind of functionality, but Im sure it must be pretty standard functionality for an authentication application?
What we've tried so far: - in josso-gateway-db-stores.xml weve tried changing the SQL used to retrieve users from the database from:
credentialsQueryString="SELECT username AS username , password AS password FROM users WHERE username = ?"
to
credentialsQueryString="UPDATE users SET failed_login_attempts = failed_login_attempts + 1 where username = ?; SELECT username AS username , password AS password FROM users WHERE username = ?"
The plan was to then reset the count as soon as the user successfully logged in to the system. However, it is invalid to run UPDATE sql at this point and throws an Exception.
We have also looked through the josso application to try to find hooks that we can use to implement a callback function after successful/unsuccessful login, unfortunately have had no luck here either.
Does anyone have any experience doing thsi?
Look around JOSSO authenticatorImpl which can be inherited to count the number of tries to lock the account in a timeboxes hashtable if necessary.