Account locking after n number of invalid attempts AEM. | Community
Skip to main content
sahilw46733527
sahilw46733527
Level 2
February 12, 2019

Account locking after n number of invalid attempts AEM.

  • February 12, 2019
  • 2 replies
  • 7441 views

Account locking after n number of invalid attempts AEM , any pointers for this implementation

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    2 replies

    Peter_Puzanovs
    Community Advisor
    Peter_PuzanovsCommunity Advisor
    Community Advisor
    February 12, 2019

    Dear Sahil,

    Thanks for asking this question.

    If you are planning to rely on OOTB Apache Sling, Brilliant Framework! Then you need to listen on the org.apache.sling.auth.core.AuthConstants.TOPIC_LOGIN_FAILED event and implement a failed login throttling solution, as per your needs, e.g. count number of failures in an hour and if more then x lock the account.

    API's as per Sling Exist, it just needs your tailoring to make it fit for your requirements.

    Regards,

    Peter

      sahilw46733527
      sahilw46733527Author
      Level 2
      February 13, 2019

      Hi Peter,

      I couldn't find TOPIC_LOGIN_FAILED event for Auth Constants AuthConstants ("The Adobe AEM Quickstart and Web Application.")  Kindly confirm if I'm going in right direction ?

        Peter_Puzanovs
        Community Advisor
        Peter_PuzanovsCommunity Advisor
        Community Advisor
        February 13, 2019

        Hey Sahil,

        You need newer Sling code/AEM version,

        As per [SLING-7939] SlingAuthenticator should post an event for login failures - ASF JIRA  your exact issue got resolved in Auth Core 1.4.4.

        "The login failure events would be useful for the implementation of a failed login throttling solution to prevent brute force dictionary attacks against sling to guess user passwords.  An unlimited number of failed logins should not be allowed, but we need some way to gather the information to thwart it."

        Regards,

        Peter

          joerghoh
          Adobe Employee
          joerghohAdobe Employee
          Adobe Employee
          February 13, 2019

          I would recommend you to use a proper Identity Management tool, which should be a able to handle such requirements with ease. AEM has authentication features, but blocking accounts after a number of unsuccesfull tries... it's doable, but you get it for free on other tools. And there is good documentation how SSO can be enabled on AEM.

          Jörg

            Terms & ConditionsAccessibility statement

            Loading footer...