Package net.shibboleth.idp.authn.impl

Class StorageBackedAccountLockoutManager

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent
net.shibboleth.shared.component.AbstractIdentifiableInitializableComponent
net.shibboleth.idp.authn.impl.StorageBackedAccountLockoutManager
All Implemented Interfaces:
AccountLockoutManager, EnumeratableAccountLockoutManager, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent
public class StorageBackedAccountLockoutManager extends AbstractIdentifiableInitializableComponent implements EnumeratableAccountLockoutManager
Implementation of EnumeratableAccountLockoutManager interface that relies on a StorageService to track lockout state.

  • Field Details

  • Constructor Details

    • StorageBackedAccountLockoutManager

      public StorageBackedAccountLockoutManager()
      Constructor.

  • Method Details

    • setStorageService

      public void setStorageService(@Nonnull StorageService storage)
      Set the StorageService back-end to use.
      Parameters:
      storage - the back-end to use

    • setLockoutKeyStrategy

      public void setLockoutKeyStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)
      Set the strategy function to compute the account lockout key.

      Defaults to a concatenation of the username and client address.

      Parameters:
      strategy - strategy function

    • setMaxAttempts

      public void setMaxAttempts(@Positive int attempts)
      Set the maximum failed attempts within window.

      Defaults to 5.

      Parameters:
      attempts - maximum failed attempts

    • setMaxAttemptsLookupStrategy

      public void setMaxAttemptsLookupStrategy(@Nonnull Function<ProfileRequestContext,Integer> strategy)
      Set lookup function for maximum failed attempts within window.

      The function MUST return a positive value.

      Parameters:
      strategy - lookup function

    • setCounterInterval

      public void setCounterInterval(@Nonnull Duration window)
      Set interval after which counter is reset.

      Defaults to 5 minutes.

      Parameters:
      window - counter window

    • setCounterIntervalLookupStrategy

      public void setCounterIntervalLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set lookup function for interval after which counter is reset.

      The function MUST return a positive value.

      Parameters:
      strategy - lookup function

    • setLockoutDuration

      public void setLockoutDuration(@Nonnull Duration duration)
      Set lockout duration.

      Defaults to 5 minutes.

      Parameters:
      duration - lockout duration

    • setLockoutDurationLookupStrategy

      public void setLockoutDurationLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set lookup function for lockout duration.

      The function MUST return a positive value. Use a large value for permanent lockout.

      Parameters:
      strategy - lookup function

    • setExtendLockoutDuration

      public void setExtendLockoutDuration(boolean flag)
      Set whether to extend the lockout duration on attempts during lockout.
      Parameters:
      flag - flag to set

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractIdentifiedInitializableComponent
      Throws:
      ComponentInitializationException

    • getLockoutKeyStrategy

      @Nonnull private Function<ProfileRequestContext,String> getLockoutKeyStrategy()
      Guaranteed non null value for lockoutKeyStrategy. We check for non-nullness in doInitialize() so it suffices to check Component state.
      Returns:
      a null-safe lockoutKeyStrategy

    • check

      public boolean check(@Nonnull ProfileRequestContext profileRequestContext)
      Check if the authentication credentials associated with the request are subject to lockout.
      Specified by:
      check in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the credentials correspond to a locked account

    • increment

      public boolean increment(@Nonnull ProfileRequestContext profileRequestContext)
      Increment the lockout counter for the authentication credentials associated with the request.
      Specified by:
      increment in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the counter was incremented

    • clear

      public boolean clear(@Nonnull ProfileRequestContext profileRequestContext)
      Clear the lockout state for the authentication credentials associated with the request.
      Specified by:
      clear in interface AccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the state was successfully cleared

    • enumerate

      @Nullable public Iterable<String> enumerate(@Nonnull ProfileRequestContext profileRequestContext)
      Return iterable collection of locked out keys that match a supplied partial key (i.e., are prefixed by it).

      The key MUST be supplied via a LockoutManagerContext subcontext of the input context.

      Specified by:
      enumerate in interface EnumeratableAccountLockoutManager
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      the locked out keys, or a null if an error occurs

    • doCheck

      protected boolean doCheck(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull String key, int maxAttempts, long lockoutDuration, long counterInterval, boolean increment)
      Helper method to perform a check operation against a specific key.
      Parameters:
      profileRequestContext - current profile request context
      key - input key to check
      maxAttempts - maximum allowable attempts before lockout
      lockoutDuration - duration of lockout
      counterInterval - interval before disregarding attempts
      increment - whether to increment the counter if already locked out
      Returns:
      true iff the designated key is locked out

    • doIncrement

      protected boolean doIncrement(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull @NotEmpty String key, int retries, long lockoutDuration, long counterInterval)
      Implement invalid login attempt counter via storage service, retrying as necessary.
      Parameters:
      profileRequestContext - current profile request context
      key - account lockout key
      retries - number of additional retries to allow
      lockoutDuration - duration of lockout
      counterInterval - interval before disregarding attempts
      Returns:
      true iff successful