com.basecmp.core.servlets
Class LoginSecuritychecksFilter

java.lang.Object
  com.basecmp.core.servlets.LoginSecuritychecksFilter

public class LoginSecuritychecksFilter

extends java.lang.Object

Filter to check the configured security-checks. Possible security-checks are:

• Disable Login if the maximum number of failed login-attempts has been reached.
• On conditional security-constraints send a http-redirect to a (declarative) standard J2EE security-contraint in order to force a container-login. Conditional constraints are:
  • Remote-IP against a configured IP or IP-List or IP-Range.

Disable login on max failed login-attempts
Checks the number of false login-attempts per user and redirect to the configured 'login-disabled-page' if the max number of attempts is exceeded. Redirects even if an additional login-attempts was ok.

Filter-Configvalues are:

• LoginTemporaryDisabledUrl: The path to the JSP which should be displayed, after the max number of failed login-attempts has been reached. If not given the check is disabled!
• MaxLoginAttempts: Maximum of allowed login-attempts before the account will be disabled. Defaults to 3.
• LoginAttemptDelayOffset: Minimum time in milliseconds after a disabled login will be automatically re-enabled. Default to 10 minutes.
• LoginAttemptDelay: Additional delay-time in milliseconds for each false login-attempt after a login has already be disabled. Defaults to 1 minute.
• AllowedIpList: A List og single IPs (Format: [1..255].[1..255].[1..255].[1..255]) or IP-Ranges (Format: [1..255].[1..255].[1..255].[1..255]-[1..255])
• DenyAll: [true|false(=default)] If set true, all request over the configure filter are denied, the login-url ist NOT shown!
• ForceLoginUrl: The webapp-relative url to the loginpage if the ip-filter applys.

Created on 11.04.2005

Author:

Wolfgang Schröder

Field Summary

static java.lang.String	CONFIG_PARAM_ALLOWED_IPS
static java.lang.String	CONFIG_PARAM_DENY_ALL_OTHER_IPS
static java.lang.String	CONFIG_PARAM_EXCLUDE_PATH_PATTERN
static java.lang.String	CONFIG_PARAM_FORCE_LOGIN_URL
static java.lang.String	CONFIG_PARAM_LOGIN_DELAY
static java.lang.String	CONFIG_PARAM_LOGIN_DELAY_OFFSET
static java.lang.String	CONFIG_PARAM_LOGIN_DISABLED_URL
static java.lang.String	CONFIG_PARAM_MAX_ATTEMPTS
static long	DEFAULT_LOGIN_DELAY
static long	DEFAULT_LOGIN_DELAY_OFFSET
static int	DEFAULT_MAX_ATTEMPTS
static java.lang.String	REQUEST_ATTRIBUTE_ATTEMPTS
static java.lang.String	REQUEST_ATTRIBUTE_MAX_ATTEMPTS
static java.lang.String	REQUEST_ATTRIBUTE_SECCONDS_TO_NEXT_ATTEMPT

Constructor Summary

LoginSecuritychecksFilter()

Method Summary

void	destroy()
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
static LoginSecuritychecksFilter	getInstance(java.lang.String filterName) Delivers the instance identified by the given filtername from web.xml.
void	init(FilterConfig config)
boolean	isLoginDisabled(java.lang.String loginname, HttpServletRequest request, HttpServletResponse response, boolean redirect) Delivers true, if the user has made to many false attempts to login into the website.
boolean	isRemoteIpAllowed(HttpServletRequest httpRequest) Delivers true, if the remote-ip of the given request is allowed to access.
boolean	logFailedAttempt(java.lang.String loginname, boolean redirect, PageContext pageContext) Logs a false login-attempt per username and stores the values REQUEST_ATTRIBUTE_ATTEMPTS and REQUEST_ATTRIBUTE_MAX_ATTEMPTS as String-Attributes in the given request-object for display-purposes in a JSP.
void	resetAccount(java.lang.String loginname) Resets the account from failed login-attempts

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CONFIG_PARAM_ALLOWED_IPS

public static final java.lang.String CONFIG_PARAM_ALLOWED_IPS

See Also:

Constant Field Values

CONFIG_PARAM_DENY_ALL_OTHER_IPS

public static final java.lang.String CONFIG_PARAM_DENY_ALL_OTHER_IPS

See Also:

Constant Field Values

CONFIG_PARAM_EXCLUDE_PATH_PATTERN

public static final java.lang.String CONFIG_PARAM_EXCLUDE_PATH_PATTERN

See Also:

Constant Field Values

CONFIG_PARAM_FORCE_LOGIN_URL

public static final java.lang.String CONFIG_PARAM_FORCE_LOGIN_URL

See Also:

Constant Field Values

CONFIG_PARAM_LOGIN_DELAY

public static final java.lang.String CONFIG_PARAM_LOGIN_DELAY

See Also:

Constant Field Values

CONFIG_PARAM_LOGIN_DELAY_OFFSET

public static final java.lang.String CONFIG_PARAM_LOGIN_DELAY_OFFSET

See Also:

Constant Field Values

CONFIG_PARAM_LOGIN_DISABLED_URL

public static final java.lang.String CONFIG_PARAM_LOGIN_DISABLED_URL

See Also:

Constant Field Values

CONFIG_PARAM_MAX_ATTEMPTS

public static final java.lang.String CONFIG_PARAM_MAX_ATTEMPTS

See Also:

Constant Field Values

DEFAULT_LOGIN_DELAY

public static final long DEFAULT_LOGIN_DELAY

See Also:

Constant Field Values

DEFAULT_LOGIN_DELAY_OFFSET

public static final long DEFAULT_LOGIN_DELAY_OFFSET

See Also:

Constant Field Values

DEFAULT_MAX_ATTEMPTS

public static final int DEFAULT_MAX_ATTEMPTS

See Also:

Constant Field Values

REQUEST_ATTRIBUTE_ATTEMPTS

public static final java.lang.String REQUEST_ATTRIBUTE_ATTEMPTS

See Also:

Constant Field Values

REQUEST_ATTRIBUTE_MAX_ATTEMPTS

public static final java.lang.String REQUEST_ATTRIBUTE_MAX_ATTEMPTS

See Also:

Constant Field Values

REQUEST_ATTRIBUTE_SECCONDS_TO_NEXT_ATTEMPT

public static final java.lang.String REQUEST_ATTRIBUTE_SECCONDS_TO_NEXT_ATTEMPT

See Also:

Constant Field Values

Constructor Detail

LoginSecuritychecksFilter

public LoginSecuritychecksFilter()

Method Detail

destroy

public void destroy()

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws java.io.IOException,
                     ServletException

Throws:

java.io.IOException

ServletException

getInstance

public static LoginSecuritychecksFilter getInstance(java.lang.String filterName)

Delivers the instance identified by the given filtername from web.xml.

init

public void init(FilterConfig config)
          throws ServletException

Throws:

ServletException

isLoginDisabled

public boolean isLoginDisabled(java.lang.String loginname,
                               HttpServletRequest request,
                               HttpServletResponse response,
                               boolean redirect)
                        throws java.io.IOException

Delivers true, if the user has made to many false attempts to login into the website. If flag 'redirect' is set 'true', a redirect to the configured 'login-disabled-page' will be executed.

Throws:

java.io.IOException

isRemoteIpAllowed

public boolean isRemoteIpAllowed(HttpServletRequest httpRequest)

Delivers true, if the remote-ip of the given request is allowed to access.

Parameters:

httpRequest -

Returns:

logFailedAttempt

public boolean logFailedAttempt(java.lang.String loginname,
                                boolean redirect,
                                PageContext pageContext)
                         throws java.io.IOException

Logs a false login-attempt per username and stores the values REQUEST_ATTRIBUTE_ATTEMPTS and REQUEST_ATTRIBUTE_MAX_ATTEMPTS as String-Attributes in the given request-object for display-purposes in a JSP.

Throws:

java.io.IOException

resetAccount

public void resetAccount(java.lang.String loginname)

Resets the account from failed login-attempts