Package org.craftercms.studio.impl.v2.security

Class LoginAttemptManagerImpl

java.lang.Object
org.craftercms.studio.impl.v2.security.LoginAttemptManagerImpl
All Implemented Interfaces:
LoginAttemptManager
public class LoginAttemptManagerImpl extends Object implements LoginAttemptManager
LoginAttemptManager implementation that keeps track of login failures in memory.
  • On login success, username is removed from the loginFailures map
  • On login failure:
    1. If user is already locked, no action is performed
    2. If user is not locked, the login attempt count is incremented (or initialized to 1, if missing)
    3. Then the user is locked for the period calculated as min( baseTimeSeconds ^ (failedAttempts - 1), maxTimeSeconds)
isUserLocked() is implemented by checking if the user is present in the loginFailures map and if the lock time has not expired.
This implementation relies on LRUMap to limit the number of tracked usernames. When adding new items to a full LRUMap(maxTrackedUsernames is reached), it will delete the least recently used items (based on calls to put and get methods).
In order to prevent leaking information about user existence (Enumeration attacks), this implementation is agnostic to whether the user exists or not.
Since:
4.1.2

  • Constructor Details

    • LoginAttemptManagerImpl

      public LoginAttemptManagerImpl(int maxTrackedUsernames, int baseTimeSeconds, long maxTimeSeconds, boolean enabled)
      Creates a new instance of LoginAttemptManagerImpl.
      Parameters:
      maxTrackedUsernames - The maximum number of usernames to track. When this number is reached, the least recently used usernames will be removed from the map.
      baseTimeSeconds - The base time in seconds to use for exponential backoff.
      maxTimeSeconds - The maximum time in seconds to use for exponential backoff.
      enabled - Whether this manager is enabled or not.

  • Method Details

    • isUserLocked

      public boolean isUserLocked(String username)
      Description copied from interface: LoginAttemptManager
      Indicates if a user is currently locked.
      A locked user is not allowed to log in
      Specified by:
      isUserLocked in interface LoginAttemptManager
      Parameters:
      username - the username
      Returns:
      true if the user is locked, false otherwise

    • getUserLockTimeLeftSeconds

      public long getUserLockTimeLeftSeconds(String username)
      Description copied from interface: LoginAttemptManager
      Get the number of seconds left for the user to be unlocked, or 0 if the user is not locked.
      Specified by:
      getUserLockTimeLeftSeconds in interface LoginAttemptManager
      Parameters:
      username - the username
      Returns:
      the number of seconds left for the user to be unlocked, or 0 if the user is not locked.

    • loginSucceeded

      public void loginSucceeded(String username)
      Description copied from interface: LoginAttemptManager
      Notify this manager that a login attempt has succeeded for the given user.
      Specified by:
      loginSucceeded in interface LoginAttemptManager
      Parameters:
      username - the username

    • loginFailed

      public void loginFailed(String username)
      Description copied from interface: LoginAttemptManager
      Notify this manager that a login attempt has failed for the given user.
      Specified by:
      loginFailed in interface LoginAttemptManager
      Parameters:
      username - the username