LoginAttemptListener¶
All the Password Provider implementations
provided by default publish a
“LoginAttemptMessage”
every time they check a password value. This permits any
org.springframework.context.ApplicationListener<LoginAttemptMessage>
to react to the login. Only one implementation is active by default (as
of 4.2.1):
ome.security.auth.LoginAttemptListener
which throttles logins after a given number of failed attempts.
Configuration for this listener is available in Security:
omero.security.login_failure_throttle_count=1 # Number of failed attempts before throttling begins
omero.security.login_failure_throttle_time=3000 # Time in milliseconds
A more sophisticated listener would lock the user’s account until an administrator intervenes. This is the goal of #3139.