Package net.shibboleth.idp.authn.impl

Class StorageBackedAccountLockoutManager

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent
net.shibboleth.idp.authn.impl.StorageBackedAccountLockoutManager
All Implemented Interfaces:
AccountLockoutManager, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent
public class StorageBackedAccountLockoutManager extends AbstractIdentifiableInitializableComponent implements AccountLockoutManager
Implementation of AccountLockoutManager interface that relies on a StorageService to track lockout state.

  • Field Details

    • log

      @Nonnull private org.slf4j.Logger log
      Class logger.

    • storageService

      @NonnullAfterInit private StorageService storageService
      Backing service.

    • lockoutKeyStrategy

      @Nullable private Function<ProfileRequestContext,String> lockoutKeyStrategy
      Lookup function to produce account lockout keys.

    • maxAttemptsLookupStrategy

      @Nonnull private Function<ProfileRequestContext,Integer> maxAttemptsLookupStrategy
      Lookup function for maximum failed attempts within window.

    • counterIntervalLookupStrategy

      @Nonnull private Function<ProfileRequestContext,Duration> counterIntervalLookupStrategy
      Lookup function for interval after which counter is reset.

    • lockoutDurationLookupStrategy

      @Nonnull private Function<ProfileRequestContext,Duration> lockoutDurationLookupStrategy
      Lookup function for duration of lockout.

    • extendLockoutDuration

      private boolean extendLockoutDuration
      Controls whether attempts against locked accounts extend duration.

  • Constructor Details

    • StorageBackedAccountLockoutManager

      public StorageBackedAccountLockoutManager()
      Constructor.

  • Method Details

    • setStorageService

      public void setStorageService(@Nonnull StorageService storage)
      Set the StorageService back-end to use.
      Parameters:
      storage - the back-end to use

    • setLockoutKeyStrategy

      public void setLockoutKeyStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)
      Set the strategy function to compute the account lockout key.

      Defaults to a concatenation of the username and client address.

      Parameters:
      strategy - strategy function

    • setMaxAttempts

      public void setMaxAttempts(@Positive int attempts)
      Set the maximum failed attempts within window.

      Defaults to 5.

      Parameters:
      attempts - maximum failed attempts

    • setMaxAttemptsLookupStrategy

      public void setMaxAttemptsLookupStrategy(@Nonnull Function<ProfileRequestContext,Integer> strategy)
      Set lookup function for maximum failed attempts within window.

      The function MUST return a positive value.

      Parameters:
      strategy - lookup function

    • setCounterInterval

      public void setCounterInterval(@Nonnull Duration window)
      Set interval after which counter is reset.

      Defaults to 5 minutes.

      Parameters:
      window - counter window

    • setCounterIntervalLookupStrategy

      public void setCounterIntervalLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set lookup function for interval after which counter is reset.

      The function MUST return a positive value.

      Parameters:
      strategy - lookup function

    • setLockoutDuration

      public void setLockoutDuration(@Nonnull Duration duration)
      Set lockout duration.

      Defaults to 5 minutes.

      Parameters:
      duration - lockout duration

    • setLockoutDurationLookupStrategy

      public void setLockoutDurationLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set lookup function for lockout duration.

      The function MUST return a positive value. Use a large value for permanent lockout.

      Parameters:
      strategy - lookup function

    • setExtendLockoutDuration

      public void setExtendLockoutDuration(boolean flag)
      Set whether to extend the lockout duration on attempts during lockout.
      Parameters:
      flag - flag to set

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractIdentifiedInitializableComponent
      Throws:
      ComponentInitializationException

    • check

      public boolean check(@Nonnull ProfileRequestContext profileRequestContext)
      Check if the authentication credentials associated with the request are subject to lockout.
      Specified by:
      check in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the credentials correspond to a locked account

    • increment

      public boolean increment(@Nonnull ProfileRequestContext profileRequestContext)
      Increment the lockout counter for the authentication credentials associated with the request.
      Specified by:
      increment in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the counter was incremented

    • clear

      public boolean clear(@Nonnull ProfileRequestContext profileRequestContext)
      Clear the lockout state for the authentication credentials associated with the request.
      Specified by:
      clear in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the state was successfully cleared

    • doIncrement

      protected boolean doIncrement(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull @NotEmpty String key, int retries)
      Implement invalid login attempt counter via storage service, retrying as necessary.
      Parameters:
      profileRequestContext - current profile request context
      key - account lockout key
      retries - number of additional retries to allow
      Returns:
      true iff successful