[contrib] any interest in another authenticator that deals with failed logins

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[contrib] any interest in another authenticator that deals with failed logins

Clemens Robbenhaar-3
Hi devs.

  I noticed that the recent 11.6.x series have introduced a way to deal
with attempts to guess a users password by introducing a strategy to
handle repeated login failures. I should have payed attention before
this was published because I have been implementing something similar
because of several user requests.

  Anyway, my alternative solution has been finished in parallel, and I
wonder if there is any interest of hosting this as a contrib project.

The implementation differs in the following details:

  - it does not use the new AuthenticationFailureEvents and the
introduced component API, instead it implements its own XWikiAuthService
  - this means it works for 10.x, too (which my users are mostly running)
  - otoh it does not work with e.g. the LDAPAuthenticator
  - it also allows to block IPs (not that I care much about, but some
people want this)
  - it unblocks the user after a given time frame without having an
Admin to intervene

I guess I can migrate at least most of it into the new
AuthenticationFailureStrategy to have a showcase for a different
implementation, but for now it is a separate and already slightly
outdated implementation.

I think I will upload the results to e.x.o anyway (with a big note that
this is superseded since XWiki 11.6), but is there any interest of
hosting this as an xwiki-contrib project, maybe with the name
'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and
maybe even a Jira project like 'BLOCKINGAUTH' ?

Best,
Clemens

Reply | Threaded
Open this post in threaded view
|

Re: [contrib] any interest in another authenticator that deals with failed logins

Thomas Mortagne
Administrator
Since you did it already and it might be needed by many people who
don't plan to upgrade soon +1 to publish it.

On Mon, Aug 19, 2019 at 7:44 AM Clemens Klein-Robbenhaar
<[hidden email]> wrote:

>
> Hi devs.
>
>   I noticed that the recent 11.6.x series have introduced a way to deal
> with attempts to guess a users password by introducing a strategy to
> handle repeated login failures. I should have payed attention before
> this was published because I have been implementing something similar
> because of several user requests.
>
>   Anyway, my alternative solution has been finished in parallel, and I
> wonder if there is any interest of hosting this as a contrib project.
>
> The implementation differs in the following details:
>
>   - it does not use the new AuthenticationFailureEvents and the
> introduced component API, instead it implements its own XWikiAuthService
>   - this means it works for 10.x, too (which my users are mostly running)
>   - otoh it does not work with e.g. the LDAPAuthenticator
>   - it also allows to block IPs (not that I care much about, but some
> people want this)
>   - it unblocks the user after a given time frame without having an
> Admin to intervene
>
> I guess I can migrate at least most of it into the new
> AuthenticationFailureStrategy to have a showcase for a different
> implementation,

Could be interesting too yes.

> but for now it is a separate and already slightly
> outdated implementation.
>
> I think I will upload the results to e.x.o anyway (with a big note that
> this is superseded since XWiki 11.6), but is there any interest of
> hosting this as an xwiki-contrib project, maybe with the name
> 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and
> maybe even a Jira project like 'BLOCKINGAUTH' ?
>
> Best,
> Clemens
>


--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|

Re: [contrib] any interest in another authenticator that deals with failed logins

Marius Dumitru Florea
In reply to this post by Clemens Robbenhaar-3
+1 to publish it. Thanks!

On Mon, Aug 19, 2019 at 8:44 AM Clemens Klein-Robbenhaar <
[hidden email]> wrote:

> Hi devs.
>
>   I noticed that the recent 11.6.x series have introduced a way to deal
> with attempts to guess a users password by introducing a strategy to
> handle repeated login failures. I should have payed attention before
> this was published because I have been implementing something similar
> because of several user requests.
>
>   Anyway, my alternative solution has been finished in parallel, and I
> wonder if there is any interest of hosting this as a contrib project.
>
> The implementation differs in the following details:
>
>   - it does not use the new AuthenticationFailureEvents and the
> introduced component API, instead it implements its own XWikiAuthService
>   - this means it works for 10.x, too (which my users are mostly running)
>   - otoh it does not work with e.g. the LDAPAuthenticator
>   - it also allows to block IPs (not that I care much about, but some
> people want this)
>   - it unblocks the user after a given time frame without having an
> Admin to intervene
>
> I guess I can migrate at least most of it into the new
> AuthenticationFailureStrategy to have a showcase for a different
> implementation, but for now it is a separate and already slightly
> outdated implementation.
>
> I think I will upload the results to e.x.o anyway (with a big note that
> this is superseded since XWiki 11.6), but is there any interest of
> hosting this as an xwiki-contrib project, maybe with the name
> 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and
> maybe even a Jira project like 'BLOCKINGAUTH' ?
>
> Best,
> Clemens
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [contrib] any interest in another authenticator that deals with failed logins

vmassol
Administrator
In reply to this post by Clemens Robbenhaar-3
Hi Clemens,

Cool. +1 to publish it on contrib + exo (either xwiki-contrib or xwiki-attric if you don’t plan to maintain it).

Thanks
-Vincent

> On 17 Aug 2019, at 21:40, Clemens Klein-Robbenhaar <[hidden email]> wrote:
>
> Hi devs.
>
>  I noticed that the recent 11.6.x series have introduced a way to deal with attempts to guess a users password by introducing a strategy to handle repeated login failures. I should have payed attention before this was published because I have been implementing something similar because of several user requests.
>
>  Anyway, my alternative solution has been finished in parallel, and I wonder if there is any interest of hosting this as a contrib project.
>
> The implementation differs in the following details:
>
>  - it does not use the new AuthenticationFailureEvents and the introduced component API, instead it implements its own XWikiAuthService
>  - this means it works for 10.x, too (which my users are mostly running)
>  - otoh it does not work with e.g. the LDAPAuthenticator
>  - it also allows to block IPs (not that I care much about, but some people want this)
>  - it unblocks the user after a given time frame without having an Admin to intervene
>
> I guess I can migrate at least most of it into the new AuthenticationFailureStrategy to have a showcase for a different implementation, but for now it is a separate and already slightly outdated implementation.
>
> I think I will upload the results to e.x.o anyway (with a big note that this is superseded since XWiki 11.6), but is there any interest of hosting this as an xwiki-contrib project, maybe with the name 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and maybe even a Jira project like 'BLOCKINGAUTH' ?
>
> Best,
> Clemens
>

Reply | Threaded
Open this post in threaded view
|

Re: [contrib] any interest in another authenticator that deals with failed logins

Clemens Robbenhaar-3

Thanks for the feedback, everyone!

I will add the extension to contrib this evening when I am back home
(unless someone who has not posted yet disagrees).

Best
Clemens

> Hi Clemens,
>
> Cool. +1 to publish it on contrib + exo (either xwiki-contrib or
> xwiki-attric if you don’t plan to maintain it).
>
> Thanks
> -Vincent
>
>> On 17 Aug 2019, at 21:40, Clemens Klein-Robbenhaar
>> <[hidden email]> wrote:
>>
>> Hi devs.
>>
>>  I noticed that the recent 11.6.x series have introduced a way to deal
>> with attempts to guess a users password by introducing a strategy to
>> handle repeated login failures. I should have payed attention before
>> this was published because I have been implementing something similar
>> because of several user requests.
>>
>>  Anyway, my alternative solution has been finished in parallel, and I
>> wonder if there is any interest of hosting this as a contrib project.
>>
>> The implementation differs in the following details:
>>
>>  - it does not use the new AuthenticationFailureEvents and the
>> introduced component API, instead it implements its own
>> XWikiAuthService
>>  - this means it works for 10.x, too (which my users are mostly
>> running)
>>  - otoh it does not work with e.g. the LDAPAuthenticator
>>  - it also allows to block IPs (not that I care much about, but some
>> people want this)
>>  - it unblocks the user after a given time frame without having an
>> Admin to intervene
>>
>> I guess I can migrate at least most of it into the new
>> AuthenticationFailureStrategy to have a showcase for a different
>> implementation, but for now it is a separate and already slightly
>> outdated implementation.
>>
>> I think I will upload the results to e.x.o anyway (with a big note
>> that this is superseded since XWiki 11.6), but is there any interest
>> of hosting this as an xwiki-contrib project, maybe with the name
>> 'authenticator-blocking', package 'org.xwiki.contrib.blockingauth' and
>> maybe even a Jira project like 'BLOCKINGAUTH' ?
>>
>> Best,
>> Clemens
>>