Hi devs.
I noticed that the recent 11.6.x series have introduced a way to deal with attempts to guess a users password by introducing a strategy to handle repeated login failures. I should have payed attention before this was published because I have been implementing something similar because of several user requests. Anyway, my alternative solution has been finished in parallel, and I wonder if there is any interest of hosting this as a contrib project. The implementation differs in the following details: - it does not use the new AuthenticationFailureEvents and the introduced component API, instead it implements its own XWikiAuthService - this means it works for 10.x, too (which my users are mostly running) - otoh it does not work with e.g. the LDAPAuthenticator - it also allows to block IPs (not that I care much about, but some people want this) - it unblocks the user after a given time frame without having an Admin to intervene I guess I can migrate at least most of it into the new AuthenticationFailureStrategy to have a showcase for a different implementation, but for now it is a separate and already slightly outdated implementation. I think I will upload the results to e.x.o anyway (with a big note that this is superseded since XWiki 11.6), but is there any interest of hosting this as an xwiki-contrib project, maybe with the name 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and maybe even a Jira project like 'BLOCKINGAUTH' ? Best, Clemens |
Administrator
|
Since you did it already and it might be needed by many people who
don't plan to upgrade soon +1 to publish it. On Mon, Aug 19, 2019 at 7:44 AM Clemens Klein-Robbenhaar <[hidden email]> wrote: > > Hi devs. > > I noticed that the recent 11.6.x series have introduced a way to deal > with attempts to guess a users password by introducing a strategy to > handle repeated login failures. I should have payed attention before > this was published because I have been implementing something similar > because of several user requests. > > Anyway, my alternative solution has been finished in parallel, and I > wonder if there is any interest of hosting this as a contrib project. > > The implementation differs in the following details: > > - it does not use the new AuthenticationFailureEvents and the > introduced component API, instead it implements its own XWikiAuthService > - this means it works for 10.x, too (which my users are mostly running) > - otoh it does not work with e.g. the LDAPAuthenticator > - it also allows to block IPs (not that I care much about, but some > people want this) > - it unblocks the user after a given time frame without having an > Admin to intervene > > I guess I can migrate at least most of it into the new > AuthenticationFailureStrategy to have a showcase for a different > implementation, Could be interesting too yes. > but for now it is a separate and already slightly > outdated implementation. > > I think I will upload the results to e.x.o anyway (with a big note that > this is superseded since XWiki 11.6), but is there any interest of > hosting this as an xwiki-contrib project, maybe with the name > 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and > maybe even a Jira project like 'BLOCKINGAUTH' ? > > Best, > Clemens > -- Thomas Mortagne |
In reply to this post by Clemens Robbenhaar-3
+1 to publish it. Thanks!
On Mon, Aug 19, 2019 at 8:44 AM Clemens Klein-Robbenhaar < [hidden email]> wrote: > Hi devs. > > I noticed that the recent 11.6.x series have introduced a way to deal > with attempts to guess a users password by introducing a strategy to > handle repeated login failures. I should have payed attention before > this was published because I have been implementing something similar > because of several user requests. > > Anyway, my alternative solution has been finished in parallel, and I > wonder if there is any interest of hosting this as a contrib project. > > The implementation differs in the following details: > > - it does not use the new AuthenticationFailureEvents and the > introduced component API, instead it implements its own XWikiAuthService > - this means it works for 10.x, too (which my users are mostly running) > - otoh it does not work with e.g. the LDAPAuthenticator > - it also allows to block IPs (not that I care much about, but some > people want this) > - it unblocks the user after a given time frame without having an > Admin to intervene > > I guess I can migrate at least most of it into the new > AuthenticationFailureStrategy to have a showcase for a different > implementation, but for now it is a separate and already slightly > outdated implementation. > > I think I will upload the results to e.x.o anyway (with a big note that > this is superseded since XWiki 11.6), but is there any interest of > hosting this as an xwiki-contrib project, maybe with the name > 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and > maybe even a Jira project like 'BLOCKINGAUTH' ? > > Best, > Clemens > > |
Administrator
|
In reply to this post by Clemens Robbenhaar-3
Hi Clemens,
Cool. +1 to publish it on contrib + exo (either xwiki-contrib or xwiki-attric if you don’t plan to maintain it). Thanks -Vincent > On 17 Aug 2019, at 21:40, Clemens Klein-Robbenhaar <[hidden email]> wrote: > > Hi devs. > > I noticed that the recent 11.6.x series have introduced a way to deal with attempts to guess a users password by introducing a strategy to handle repeated login failures. I should have payed attention before this was published because I have been implementing something similar because of several user requests. > > Anyway, my alternative solution has been finished in parallel, and I wonder if there is any interest of hosting this as a contrib project. > > The implementation differs in the following details: > > - it does not use the new AuthenticationFailureEvents and the introduced component API, instead it implements its own XWikiAuthService > - this means it works for 10.x, too (which my users are mostly running) > - otoh it does not work with e.g. the LDAPAuthenticator > - it also allows to block IPs (not that I care much about, but some people want this) > - it unblocks the user after a given time frame without having an Admin to intervene > > I guess I can migrate at least most of it into the new AuthenticationFailureStrategy to have a showcase for a different implementation, but for now it is a separate and already slightly outdated implementation. > > I think I will upload the results to e.x.o anyway (with a big note that this is superseded since XWiki 11.6), but is there any interest of hosting this as an xwiki-contrib project, maybe with the name 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and maybe even a Jira project like 'BLOCKINGAUTH' ? > > Best, > Clemens > |
Thanks for the feedback, everyone! I will add the extension to contrib this evening when I am back home (unless someone who has not posted yet disagrees). Best Clemens > Hi Clemens, > > Cool. +1 to publish it on contrib + exo (either xwiki-contrib or > xwiki-attric if you don’t plan to maintain it). > > Thanks > -Vincent > >> On 17 Aug 2019, at 21:40, Clemens Klein-Robbenhaar >> <[hidden email]> wrote: >> >> Hi devs. >> >> I noticed that the recent 11.6.x series have introduced a way to deal >> with attempts to guess a users password by introducing a strategy to >> handle repeated login failures. I should have payed attention before >> this was published because I have been implementing something similar >> because of several user requests. >> >> Anyway, my alternative solution has been finished in parallel, and I >> wonder if there is any interest of hosting this as a contrib project. >> >> The implementation differs in the following details: >> >> - it does not use the new AuthenticationFailureEvents and the >> introduced component API, instead it implements its own >> XWikiAuthService >> - this means it works for 10.x, too (which my users are mostly >> running) >> - otoh it does not work with e.g. the LDAPAuthenticator >> - it also allows to block IPs (not that I care much about, but some >> people want this) >> - it unblocks the user after a given time frame without having an >> Admin to intervene >> >> I guess I can migrate at least most of it into the new >> AuthenticationFailureStrategy to have a showcase for a different >> implementation, but for now it is a separate and already slightly >> outdated implementation. >> >> I think I will upload the results to e.x.o anyway (with a big note >> that this is superseded since XWiki 11.6), but is there any interest >> of hosting this as an xwiki-contrib project, maybe with the name >> 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and >> maybe even a Jira project like 'BLOCKINGAUTH' ? >> >> Best, >> Clemens >> |
Free forum by Nabble | Edit this page |