Package net.shibboleth.idp.authn.impl
Class StorageBackedAccountLockoutManager
- java.lang.Object
-
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
-
- net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
-
- net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent
-
- net.shibboleth.idp.authn.impl.StorageBackedAccountLockoutManager
-
- All Implemented Interfaces:
AccountLockoutManager,Component,DestructableComponent,IdentifiableComponent,IdentifiedComponent,InitializableComponent
public class StorageBackedAccountLockoutManager extends AbstractIdentifiableInitializableComponent implements AccountLockoutManager
Implementation ofAccountLockoutManagerinterface that relies on aStorageServiceto track lockout state.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classStorageBackedAccountLockoutManager.UsernameIPLockoutKeyStrategyA function to generate a key for lockout storage.
-
Field Summary
Fields Modifier and Type Field Description private Function<ProfileRequestContext,Duration>counterIntervalLookupStrategyLookup function for interval after which counter is reset.private booleanextendLockoutDurationControls whether attempts against locked accounts extend duration.private Function<ProfileRequestContext,Duration>lockoutDurationLookupStrategyLookup function for duration of lockout.private Function<ProfileRequestContext,String>lockoutKeyStrategyLookup function to produce account lockout keys.private org.slf4j.LoggerlogClass logger.private Function<ProfileRequestContext,Integer>maxAttemptsLookupStrategyLookup function for maximum failed attempts within window.private StorageServicestorageServiceBacking service.
-
Constructor Summary
Constructors Constructor Description StorageBackedAccountLockoutManager()Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description booleancheck(ProfileRequestContext profileRequestContext)booleanclear(ProfileRequestContext profileRequestContext)protected booleandoIncrement(ProfileRequestContext profileRequestContext, String key, int retries)Implement invalid login attempt counter via storage service, retrying as necessary.protected voiddoInitialize()booleanincrement(ProfileRequestContext profileRequestContext)voidsetCounterInterval(Duration window)Set interval after which counter is reset.voidsetCounterIntervalLookupStrategy(Function<ProfileRequestContext,Duration> strategy)Set lookup function for interval after which counter is reset.voidsetExtendLockoutDuration(boolean flag)Set whether to extend the lockout duration on attempts during lockout.voidsetLockoutDuration(Duration duration)Set lockout duration.voidsetLockoutDurationLookupStrategy(Function<ProfileRequestContext,Duration> strategy)Set lookup function for lockout duration.voidsetLockoutKeyStrategy(Function<ProfileRequestContext,String> strategy)Set the strategy function to compute the account lockout key.voidsetMaxAttempts(int attempts)Set the maximum failed attempts within window.voidsetMaxAttemptsLookupStrategy(Function<ProfileRequestContext,Integer> strategy)Set lookup function for maximum failed attempts within window.voidsetStorageService(StorageService storage)Set theStorageServiceback-end to use.-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent
setId
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
getId
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent
getId
-
-
-
-
Field Detail
-
log
@Nonnull private org.slf4j.Logger log
Class logger.
-
storageService
@NonnullAfterInit private StorageService storageService
Backing service.
-
lockoutKeyStrategy
@Nullable private Function<ProfileRequestContext,String> lockoutKeyStrategy
Lookup function to produce account lockout keys.
-
maxAttemptsLookupStrategy
@Nonnull private Function<ProfileRequestContext,Integer> maxAttemptsLookupStrategy
Lookup function for maximum failed attempts within window.
-
counterIntervalLookupStrategy
@Nonnull private Function<ProfileRequestContext,Duration> counterIntervalLookupStrategy
Lookup function for interval after which counter is reset.
-
lockoutDurationLookupStrategy
@Nonnull private Function<ProfileRequestContext,Duration> lockoutDurationLookupStrategy
Lookup function for duration of lockout.
-
extendLockoutDuration
private boolean extendLockoutDuration
Controls whether attempts against locked accounts extend duration.
-
-
Method Detail
-
setStorageService
public void setStorageService(@Nonnull StorageService storage)Set theStorageServiceback-end to use.- Parameters:
storage- the back-end to use
-
setLockoutKeyStrategy
public void setLockoutKeyStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)Set the strategy function to compute the account lockout key.Defaults to a concatenation of the username and client address.
- Parameters:
strategy- strategy function
-
setMaxAttempts
public void setMaxAttempts(@Positive int attempts)
Set the maximum failed attempts within window.Defaults to 5.
- Parameters:
attempts- maximum failed attempts
-
setMaxAttemptsLookupStrategy
public void setMaxAttemptsLookupStrategy(@Nonnull Function<ProfileRequestContext,Integer> strategy)Set lookup function for maximum failed attempts within window.The function MUST return a positive value.
- Parameters:
strategy- lookup function
-
setCounterInterval
public void setCounterInterval(@Nonnull Duration window)Set interval after which counter is reset.Defaults to 5 minutes.
- Parameters:
window- counter window
-
setCounterIntervalLookupStrategy
public void setCounterIntervalLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)Set lookup function for interval after which counter is reset.The function MUST return a positive value.
- Parameters:
strategy- lookup function
-
setLockoutDuration
public void setLockoutDuration(@Nonnull Duration duration)Set lockout duration.Defaults to 5 minutes.
- Parameters:
duration- lockout duration
-
setLockoutDurationLookupStrategy
public void setLockoutDurationLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)Set lookup function for lockout duration.The function MUST return a positive value. Use a large value for permanent lockout.
- Parameters:
strategy- lookup function
-
setExtendLockoutDuration
public void setExtendLockoutDuration(boolean flag)
Set whether to extend the lockout duration on attempts during lockout.- Parameters:
flag- flag to set
-
doInitialize
protected void doInitialize() throws ComponentInitializationException- Overrides:
doInitializein classAbstractIdentifiedInitializableComponent- Throws:
ComponentInitializationException
-
check
public boolean check(@Nonnull ProfileRequestContext profileRequestContext)- Specified by:
checkin interfaceAccountLockoutManager
-
increment
public boolean increment(@Nonnull ProfileRequestContext profileRequestContext)- Specified by:
incrementin interfaceAccountLockoutManager
-
clear
public boolean clear(@Nonnull ProfileRequestContext profileRequestContext)- Specified by:
clearin interfaceAccountLockoutManager
-
doIncrement
protected boolean doIncrement(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull @NotEmpty String key, int retries)Implement invalid login attempt counter via storage service, retrying as necessary.- Parameters:
profileRequestContext- current profile request contextkey- account lockout keyretries- number of additional retries to allow- Returns:
- true iff successful
-
-