cogA set of APIs to provide additional security checks during authentication
Developed by

XWiki Development Team

0 Votes
LicenseGNU General Public License 1
Bundled With

XWiki Standard


This module provides API to enable new checks during the authentication.
Default implementation of the module provide the ability to triggers security checks when a user failed to authenticate multiple times in a given time window.



The configuration of a the module allows to setup three information:

  • the authentication failure strategies (default is CAPTCHA)
  • the maximum number of failing login attempts authorized before activating a strategy (default is 3)
  • the time window during which those attempts should occur (default is 5 minutes)

Setting no strategy or 0 to the maximum number of attempts, or to the time window will disable the feature.
This configuration is available in the Administration > Authentication page by default.

Starting with XWiki 11.10 it is now possible to enable or disable the authentication security mechanism. Note that disabling it will also clear out all information related to the login failures: this might unlock some users in case of problems.

Authentication Failure Manager

This component is responsible to record the authentication failures, and to trigger the strategies based on the given configuration.

Authentication Failure Strategies

Two strategies are currently implemented and available.



This is the default strategy. When a user reached the limit number of authentication attempts, a CAPTCHA is displayed in the login page, and the user have to solve it in order to be login.

Disable Account


This strategy will automatically disable the user account in case of repeated authentication failure. In that case he needs to contact an administrator of the wiki to enable it back.


Two new events are provided:

  • AuthenticationFailureEvent which is triggered whenever a user fails his authentication
  • AuthenticationFailureLimitReachedEvent which is triggered when the authentication failure manager detected that a user reached the limit of authentication failures.

Get Connected