| |
Security Realm: User Lockout
Configuration Options Related Tasks Related Topics
Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. Weblogic Server provides a set of attributes to protect user accounts from intruders. This page allows us to define how user lockouts will be handled in this security realm.
WebLogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes on this page lessens security and leaves user accounts vulnerable to security attacks.
If a user lockout security event occurs on one node of a cluster, the other nodes in the cluster are notified of the event and the user account is locked on all nodes in the cluster. This feature prevents a hacker from systematically breaking into all the nodes in a cluster.
Note: The User Lockout attributes apply to the security realm and all its security providers. If you are using an Authentication provider that has its own mechanism for protecting user accounts, disable the Lockout Enabled attribute.
If a user account becomes locked and you delete the user account and add another user account with the same name and password, the User Lockout attribute will not be reset.
Configuration Options
Name Description Lockout Enabled Specifies whether the server locks users out when there are invalid login attempts on their account.
MBean Attribute:
UserLockoutManagerMBean.LockoutEnabledChanges take effect after you redeploy the module or restart the server.
Lockout Threshold The maximum number of consecutive invalid login attempts that can occur before a user's account is locked out.
Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute.
MBean Attribute:
UserLockoutManagerMBean.LockoutThresholdMinimum value:
1Changes take effect after you redeploy the module or restart the server.
Lockout Duration The number of minutes that a user's account is locked out.
MBean Attribute:
UserLockoutManagerMBean.LockoutDurationMinimum value:
0Changes take effect after you redeploy the module or restart the server.
Lockout Reset Duration The number of minutes within which consecutive invalid login attempts cause a user's account to be locked out.
An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the number of minutes defined by this attribute. For example, if the value in Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold is 3, and 3 invalid login attempts are made within a 6 minute interval, then the account is not locked. If 3 invalid login attempts are made within a 5 minute period, however, then the account is locked.
MBean Attribute:
UserLockoutManagerMBean.LockoutResetDurationMinimum value:
1Changes take effect after you redeploy the module or restart the server.
Lockout Cache Size The maximum number of invalid login records that the server can place in a cache.
WebLogic Server does not define a particular limit for the number of records that may be specified for the size of the user lockout cache, but Oracle recommends a value between 0 and 99999.
MBean Attribute:
UserLockoutManagerMBean.LockoutCacheSizeMinimum value:
0Changes take effect after you redeploy the module or restart the server.
Lockout GC Threshold The maximum number of invalid login records that the server keeps in memory.
If the number of invalid login records is equal to or greater than the value of this attribute, the server's garbage collection purges the records that have expired. A record expires when the user is unlocked or when the lockout reset duration has expired for that record.
MBean Attribute:
UserLockoutManagerMBean.LockoutGCThresholdMinimum value:
0Changes take effect after you redeploy the module or restart the server.
|
