Expand my Community achievements bar.

SOLVED

Cannot disable users with disable(String reason) method

Avatar

Level 4
Level 4
12/21/22 12:28:37 AM

Dear community,

I'd like to block users from login with user.disable("reason") method in my Servlet under certain condition.

I could read/write user properties, but the disable part doesn't work and I could still login with this user.

YuSheng_0-1671616176061.png

(code snippet attached below)

 

Did I miss something important to make it work?

Thanks a lot! 

 

UserManager userManager = ((JackrabbitSession) session).getUserManager();
Authorizable userAuth = userManager.getAuthorizable(userId);
User user = (User) userManager.getAuthorizable(userId);

if (userAuth != null) {

	int totalCount = 1;
	SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
	Value[] userPropertyValueArray = userAuth.getProperty("profile/loginAttemptCount");

	if (userPropertyValueArray != null) {
		int userFailureLoginCount = Integer.parseInt(userPropertyValueArray[0].toString());

		if (userFailureLoginCount == 5) {						
			Date nowTime = new Date();						
			long time = 15 * 60 * 1000;
			Date lockUntil = new Date(nowTime.getTime() + time);
			userAuth.setProperty("profile/lockUntil",
					session.getValueFactory().createValue(sdf.format(lockUntil)));
			user.disable("Reach failure login limit");
			return;
			
		} else {
			totalCount = userFailureLoginCount + 1;
			userAuth.setProperty("profile/loginAttemptCount", session.getValueFactory().createValue(totalCount));
		}
	}
	
	userAuth.setProperty("profile/loginAttemptTimestamp",
			session.getValueFactory().createValue(sdf.format(new Date())));
}

session.save();
session.logout();

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Security

Views

686

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
12/21/22 2:54:50 AM

Hi @YuSheng,

I did a quick check of disabled method usage and it worked fine on my end. In general it sets rep:disabled property with string value I have passed as an argument. This is a sample code.

 

 

UserManager userManager = ((JackrabbitSession) session).getUserManager();
User user = (User) userManager.getAuthorizable("test");
user.disable("Reach failure login limit");
session.save();

 

 

I see one problem in your implementation, in below part of your code

 

 

		if (userFailureLoginCount == 5) {						
			Date nowTime = new Date();						
			long time = 15 * 60 * 1000;
			Date lockUntil = new Date(nowTime.getTime() + time);
			userAuth.setProperty("profile/lockUntil",
					session.getValueFactory().createValue(sdf.format(lockUntil)));
			user.disable("Reach failure login limit");
			return;
			
		}

 

 

You are using return statement before you saved your changes, this is why user account is not disabled.

Please remove return statement from the body of above if condition block, or add session.save before return. In other words currently you are not saving changes you did.

Your code could look like below

 

 

if (userFailureLoginCount == 5) {						
  Date nowTime = new Date();						
  long time = 15 * 60 * 1000;
  Date lockUntil = new Date(nowTime.getTime() + time);
  userAuth.setProperty("profile/lockUntil",			session.getValueFactory().createValue(sdf.format(lockUntil)));
  user.disable("Reach failure login limit");
  session.save();
  return;
}

 

 

or like that

 

 

if (userFailureLoginCount == 5) {						
  Date nowTime = new Date();						
  long time = 15 * 60 * 1000;
  Date lockUntil = new Date(nowTime.getTime() + time);
  userAuth.setProperty("profile/lockUntil",			session.getValueFactory().createValue(sdf.format(lockUntil)));
  user.disable("Reach failure login limit");
}

 

 

View solution in original post

Views

656

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 4
Level 4
12/21/22 1:37:31 AM
In response to arunpatidar

Hi @arunpatidar, thank you for the reply.

I've seen this post and it doesn't help in my case.

Simply wanna know how to make this method work since it's the most straitforward approach to prevent user from login.

YuSheng_1-1671615382468.png

Views

668

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
12/21/22 2:54:50 AM

Hi @YuSheng,

I did a quick check of disabled method usage and it worked fine on my end. In general it sets rep:disabled property with string value I have passed as an argument. This is a sample code.

 

 

UserManager userManager = ((JackrabbitSession) session).getUserManager();
User user = (User) userManager.getAuthorizable("test");
user.disable("Reach failure login limit");
session.save();

 

 

I see one problem in your implementation, in below part of your code

 

 

		if (userFailureLoginCount == 5) {						
			Date nowTime = new Date();						
			long time = 15 * 60 * 1000;
			Date lockUntil = new Date(nowTime.getTime() + time);
			userAuth.setProperty("profile/lockUntil",
					session.getValueFactory().createValue(sdf.format(lockUntil)));
			user.disable("Reach failure login limit");
			return;
			
		}

 

 

You are using return statement before you saved your changes, this is why user account is not disabled.

Please remove return statement from the body of above if condition block, or add session.save before return. In other words currently you are not saving changes you did.

Your code could look like below

 

 

if (userFailureLoginCount == 5) {						
  Date nowTime = new Date();						
  long time = 15 * 60 * 1000;
  Date lockUntil = new Date(nowTime.getTime() + time);
  userAuth.setProperty("profile/lockUntil",			session.getValueFactory().createValue(sdf.format(lockUntil)));
  user.disable("Reach failure login limit");
  session.save();
  return;
}

 

 

or like that

 

 

if (userFailureLoginCount == 5) {						
  Date nowTime = new Date();						
  long time = 15 * 60 * 1000;
  Date lockUntil = new Date(nowTime.getTime() + time);
  userAuth.setProperty("profile/lockUntil",			session.getValueFactory().createValue(sdf.format(lockUntil)));
  user.disable("Reach failure login limit");
}

 

 

Views

657

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
12/21/22 8:07:19 AM
In response to lukasz-m

@lukasz-m Thanks for the reply, I check the exception when the the disable was executed and got 

"javax.jcr.AccessDeniedException: OakAccess0000: Access denied"

I think the problem is the system user I created doesn't have enough permission to execute disable.

Views

639

Replies

0
Sign in to like this content

Total Likes

Translate
Translate