The Apache Shiro documentation implies some desirable features for capturing successive failed login attempts (among other things), however I cannot find specific documentation for this. Currently, I can execute currentUser.login (token); with invalid pw infinite time and no trap and throw this error. I'm struggling to find where this is implemented in the source.
Does it really work? Is a threshold set in shiro.ini? Can someone point me to the documentation for this (or confirm that it does not exist)?
thanks
Environmental Details: Shiro core 1.2.1 and jdbc realm
Beginning of the documentation Step 3: Handling success or failure If the login method returns quietly, then it is all set! The object is authenticated. The application flow can continue continuously, and all further calls to SecurityUtils.getSubject () will return an authenticated object instance, and any calls to subject.isAuthenticated () will return true.
But what happens if the login attempt failed? For example, what if the end user provided the wrong password or accessed the system too many times, and perhaps their account is locked out?
Shiro has a rich Exception hierarchy of runtime authentication that can accurately indicate why the attempt failed. You can move the login to the try / catch block and catch any exception you want and react to them accordingly. For instance:
try { currentUser.login(token); } catch ( UnknownAccountException uae ) { ... } catch ( IncorrectCredentialsException ice ) { ... } catch ( LockedAccountException lae ) { ... } catch ( **ExcessiveAttemptsException** eae ) { ... } ... catch your own ... } catch ( AuthenticationException ae ) { //unexpected error? } //No problems, continue on as expected...
If one of the existing exception classes does not meet your needs, custom authentication exceptions can be created to represent specific failure scenarios // No problem, continue as expected ... End Documentaion
source share