Package org.wildfly.security.auth.realm

Class BruteForceRealmWrapper

java.lang.Object
org.wildfly.security.auth.realm.BruteForceRealmWrapper
public class BruteForceRealmWrapper extends Object
A wrapper around SecurityRealm instances to add brute force detection for brute force password guessing attacks. After a failed authentication attempt a FailureSession is created to track the failure count and to coordinate temporarily disabling the identity. This implementation is entirely in memory so will be cleared if the server is reloaded or restarted.
Author:
Darran Lofthouse

  • Constructor Details

    • BruteForceRealmWrapper

      public BruteForceRealmWrapper()

  • Method Details

    • create

      public static BruteForceRealmWrapper create()
      Create a new instance of BruteForceRealmWrapper that can be used to wrap a SecurityRealm instance and provide brute force protection.
      Returns:
      a new instance of BruteForceRealmWrapper.

    • withExecutor

      public BruteForceRealmWrapper withExecutor(ScheduledExecutorService executor)
      Set the ScheduledExecutorService that will be used for expiring the sessions tracking authentication failures.
      Parameters:
      executor - the ScheduledExecutorService
      Returns:
      this to allow chaining.

    • setRealmName

      public BruteForceRealmWrapper setRealmName(String realmName)
      Set the realm name that should be used in any log messages. If no realm name is specified the simple class name of the wrapped realm will be used instead.
      Parameters:
      realmName - the realm name that should be used in any log messages.
      Returns:
      this to allow chaining.

    • setMaxFailedAttempts

      public BruteForceRealmWrapper setMaxFailedAttempts(int maxFailedAttempts)
      Set the maximum number of consecutive failed login attempts for a specific user before the lockout kicks in for the configured interval.
      Parameters:
      maxFailedAttempts - - the maximum number of failed attempts before the lockout interval kicks in.
      Returns:
      this to allow chaining.

    • setLockoutInterval

      public BruteForceRealmWrapper setLockoutInterval(int lockoutInterval)
      After the maximum number of failed authentication attempts the interval in minutes the account will be locked for. Subsequent failed attempts during the lockout period will renew the lockout indefinitely, even if those attempts use the correct credential.
      Parameters:
      lockoutInterval - the lockout interval in minutes.
      Returns:
      this to allow chaining.

    • setFailureSessionTimeout

      public BruteForceRealmWrapper setFailureSessionTimeout(int failureSessionTimeout)
      After a failed authentication attempt how long in minutes to keep the tracking session alive. Subsequent failed attempts will renew the timeout.
      Parameters:
      failureSessionTimeout - the lockout interval in minutes.
      Returns:
      this to allow chaining.

    • setMaxCachedSessions

      public BruteForceRealmWrapper setMaxCachedSessions(int maxCachedSessions)
      Set the maximum number of sessions that will be cached before the least recently used session is evicted from the cache.
      Parameters:
      maxCachedSessions - the maximum number of sessions that will be cached before the least recently used session is evicted.
      Returns:
      this to allow chaining.

    • addAdditionalInterface

      public BruteForceRealmWrapper addAdditionalInterface(Class<?> interfaze)
      Add an additional interface to be proxied by the dynamic proxy.
      Parameters:
      interfaze - an additional interface to be proxied by the dynamic proxy.
      Returns:
      this to allow chaining.

    • wrapping

      public BruteForceRealmWrapper wrapping(SecurityRealm toWrap)
      Set the security realm that is to be wrapped by the wrapper.
      Parameters:
      toWrap - the security realm that is to be wrapped by the wrapper.
      Returns:
      this to allow chaining.

    • wrap

      public <S extends SecurityRealm> S wrap(Class<S> securityRealmType)