Interface AuthenticationFailureStrategy


  • @Unstable
    @Role
    public interface AuthenticationFailureStrategy
    Describes a strategy to perform in case the limit of authentication failures is reached. See AuthenticationConfiguration for a definition of this limit. Note that this strategy might be called even for users before reaching the authentication limit, this is done in order to prevent the following scenario:
    • an attacker tries to login x times with a login
    • a CAPTCHA is displayed in form to mitigate the attack
    • the attacker tries to perform the attack on a different login
    In this case if the CAPTCHA is displayed, we should use it also to prevent attacking the other user.
    Since:
    13.1RC1
    Version:
    $Id: a23e7d0b62708b504a31794221104c21be944eaa $
    • Method Detail

      • getErrorMessage

        String getErrorMessage​(String username)
        Parameters:
        username - the username used for the authentication failure.
        Returns:
        an error message to be displayed in the login form.
      • getForm

        String getForm​(String username)
        Parameters:
        username - the username used for the authentication failure.
        Returns:
        some additional form field to be processed for validating the authentication.
      • validateForm

        boolean validateForm​(String username,
                             javax.servlet.http.HttpServletRequest request)
        Parameters:
        username - the username used for the authentication failure.
        request - the authentication request.
        Returns:
        true if the authentication request can be validated, i.e. if the user should be authorized to login.
      • notify

        void notify​(String username)
        Notify the strategy about an authentication failure limit reached. This method should be used to perform operation that does not need login form interaction.
        Parameters:
        username - the username used for the authentication failure.