Java library for advanced user account protection [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

开发者_如何学运维

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 2 years ago.

Improve this question

I'm looking for library to provide advanced user account protection for web application. I need following features:

1) User account lock after several failed login attempts within defined time frame.

2) Password expiration within N days.

3) Password history tracking for every user.

Is there appropriate solution for all or some of this needs?

Thanks in advance!

---

I think your requirements are not so complex to impelement, without the need of an external library.

1. You can store the number of failed login attempts in a column of your client_user in the database and during runtime increment if found during your predetermined timeframe.
2. Another column can keep the date_modified of your password therefore you can check during runtime if the attempted login has surpassed that number of days.
3. That's a tricky one since normally passwords are stored as hashes of some sort threrefore doesn't make much sense to keep historical values.

---

You can accomplish all these by using Spring. & Spring Security

1) User account lock after several failed login attempts within defined time frame.

You can use Spring Security and count no of failed attempt and bock user here is article

Common Problem #3: How do I disable a user after a number of failed logins?

A common user requirement is to disable / lock an account after a number of failed login attempts. Acegi itself does not provide anything "out of the box", however in your application you can implement and register an org.springframework.context.ApplicationListener. Inside your application event listener you can then check for an instanceof the particular AuthenticationFailureEvent and then call your application user management interface to update the user details.

For example:

 public void onApplicationEvent(ApplicationEvent event) {

   // check failed event
   if(event instanceof AuthenticationFailurePasswordEvent){
      // call user management interface to increment failed login attempts, etc.
      . . .
   }
 }

2) Password expiration within N days.

You can schedule a task using Spring Quartz Support that resets password .Also you can have ExpiryDate field in DB and can fire a trigger everyday @ 0000 hrs and perform the things

3) Password history tracking for every user.

using DB you can take history of password used and you can use Spring-DAO support to do it easily.

btw if you find any framework that is specifically meant for this lee me know :)

---

I don't know of any framework that provides those features but I'm not sure I would bother trying to find one either. They are very simple requirements that would be easy to code up yourself, probably in less time than it would take to learn a new framework. Then you avoid a dependency on a framework.

For more complex requirements related to security, I would recommend Spring Security.