Minor Description
The LoginPortlet currently displays a simple error message on a failed login.
Although the number of invalid attempts is displayed it's confusing because that is not related to the
number of authenticationFailures for a specific UserPrincipal.
I'll provide a new LoginValidationValve implementation which checks if an failed login attempt occurred.
In that case, the real cause of the failure is determined and an errorCode is saved in the request so the
LoginPortlet can provide a sensible response to the user.
These error codes are defined in the LoginConstants interface and with the i18n language bundle already used
by the LoginPortlet the required message to be displayed can be looked up.
If the InternalPasswordCredentialStateHandlingInterceptor is used (as it is in the default configuration), its maxNumberOfLoginFailureAttempts can be passed on to the LoginValidationValve implementation to allow
warning message to the user when only one last login attempt is possible before the PasswordCredential will
be disabled.
To be able to give this feedback, the PasswordCredential interface will be extended (as well as the default
implementation) to include the authenticationFailures from the InternalCredential.
This solution will provide at least one part of the JS2-215 issue (more/correct feedback on login failures).
The other features or JS2-215 (email notification, disabled account creation by an end user itself) still have to be addressed though.
The LoginConstants interface currently is defined in the Jetspeed commons project and I'm going to move it
to the Jetspeed-API project as I think it really belongs there. This shouldn't have any impact on any
custom login implementation as that would need the Jetspeed-API already too.
Attachments
Issue Links
- relates to
-
JS2-215 security email extensions: password reminder/user creation
-
- Closed
-