Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 6.0

Login Attempt Limit in J2EE Agents

When a user tries to access a protected resource without having authenticated with Access Manager Authentication Services, the request is treated as a request with insufficient credentials. The default action taken by the agent when it encounters such a request is to redirect the user to the next available Login URL as configured in the J2EE agent configuration file.

Despite the repeated redirects performed by the agent, the user could still be unable to furnish the necessary credentials. In such a case, the agent can be directed to block such a request. This is configured using the Login Attempt Limit configuration property. The configuration property that controls this behavior is as follows:


If a non-zero positive value is specified for this property in the J2EE agent configuration file, the agent will only allow that many attempts before it blocks the access request without the necessary credentials. When set to a value of zero, this feature is disabled.

To guard against potential denial-of-service attacks on the system, enable this feature.