edu.yale.its.tp.cas.auth.provider
Class WatchfulPasswordHandler
java.lang.Object
|
+--edu.yale.its.tp.cas.auth.provider.WatchfulPasswordHandler
- All Implemented Interfaces:
- AuthHandler, PasswordHandler
- Direct Known Subclasses:
- LdapHandler, SampleHandler
- public abstract class WatchfulPasswordHandler
- extends java.lang.Object
- implements PasswordHandler
A PasswordHandler base class that implements logic to block IP addresses
that engage in too many unsuccessful login attempts. The goal is to
limit the damage that a dictionary-based password attack can achieve.
We implement this with a token-based strategy; failures are regularly
forgotten, and only build up when they occur faster than expiry.
Method Summary |
boolean |
authenticate(javax.servlet.ServletRequest request,
java.lang.String netid,
java.lang.String password)
Returns true if the given request comes from an IP address whose
allotment of failed login attemps is within reasonable bounds;
false otherwise. |
protected void |
registerFailure(javax.servlet.ServletRequest r)
Registers a login failure initiated by the given address. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
WatchfulPasswordHandler
public WatchfulPasswordHandler()
authenticate
public boolean authenticate(javax.servlet.ServletRequest request,
java.lang.String netid,
java.lang.String password)
- Returns true if the given request comes from an IP address whose
allotment of failed login attemps is within reasonable bounds;
false otherwise. Note: We don't actually validate the user
and password; this functionality must be implemented by subclasses.
- Specified by:
authenticate
in interface PasswordHandler
registerFailure
protected void registerFailure(javax.servlet.ServletRequest r)
- Registers a login failure initiated by the given address.