From version < 9.1 >
edited by Simon Urli
on 2019/11/18 12:04
To version < 10.1 >
edited by Simon Urli
on 2019/11/18 12:06
< >
Change comment: There is no comment for this version

Summary

Details

ExtensionCode.ExtensionClass[0]
Description
... ... @@ -15,6 +15,8 @@
15 15  image:authentication-security-administration.png
16 16  {{/gallery}}
17 17  
18 +Starting with {{info}}XWiki 11.10RC1{{/info}} it is now possible to enable or disable the authentication security mechanism. Note that disabling it will also clear out all information related to the login failures: this might unlock some users in case of problems.
19 +
18 18  = Authentication Failure Manager =
19 19  
20 20  This component is responsible to record the authentication failures, and to trigger the strategies based on the given configuration.
cogA set of APIs to provide additional security checks during authentication
TypeJAR
Developed by

XWiki Development Team

Rating
Rate!
0 Votes
LicenseGNU General Public License 1
Bundled With

XWiki Standard

Description

This module provides API to enable new checks during the authentication.
Default implementation of the module provide the ability to triggers security checks when a user failed to authenticate multiple times in a given time window.

Configuration

 

The configuration of a the module allows to setup three information:

  • the authentication failure strategies (default is CAPTCHA)
  • the maximum number of failing login attempts authorized before activating a strategy (default is 3)
  • the time window during which those attempts should occur (default is 5 minutes)

Setting no strategy or 0 to the maximum number of attempts, or to the time window will disable the feature.
This configuration is available in the Administration > Authentication page by default.

Starting with XWiki 11.10RC1 it is now possible to enable or disable the authentication security mechanism. Note that disabling it will also clear out all information related to the login failures: this might unlock some users in case of problems.

Authentication Failure Manager

This component is responsible to record the authentication failures, and to trigger the strategies based on the given configuration.

Authentication Failure Strategies

Two strategies are currently implemented and available.

CAPTCHA

 

This is the default strategy. When a user reached the limit number of authentication attempts, a CAPTCHA is displayed in the login page, and the user have to solve it in order to be login.

Disable Account

 

This strategy will automatically disable the user account in case of repeated authentication failure. In that case he needs to contact an administrator of the wiki to enable it back.

Events

Two new events are provided:

  • AuthenticationFailureEvent which is triggered whenever a user fails his authentication
  • AuthenticationFailureLimitReachedEvent which is triggered when the authentication failure manager detected that a user reached the limit of authentication failures.

Get Connected