Lockout Feature
EDG has the ability to temporarily lock out a user account after too many failed login attempts. It behaves similarly to the LockOutRealm feature of Tomcat. It is enabled by default, and is configurable with settings in the EDG setup file.
Note
This feature is not applicable for SAML Authentication or Authentication with OpenID Connect (OIDC). For those login methods, the corresponding IDP or Authorization Server handles incorrect login credentials.
After lockoutFailureCount failed login attempts (default 5) in a row, an
account will be locked for lockoutDuration seconds (default 300, or 5
minutes). Accounts with login failures will be kept in a cache until the
user successfully logs in, the lockoutDuration expires, or until the
cache reaches lockoutCacheSize.
If an account is locked, the corresponding user will not be able to login. They will be forwarded to an error page, indicating that the account is locked, and a warning will be logged in The EDG log.
Note
If you need to disable this feature for testing purposes, you can set
lockoutFailureCount to a number less than 1. Remember to re-enable
it before deploying to production.
The cache of accounts with login failures is limited in size by
the lockoutCacheSize setting (default 1000). When the cache size
limit has been reached, the oldest entry in the cache will be removed.
This is to prevent a Denial of Service (DoS) attack, where requests are
made with deliberately invalid users, causing the list of locked out users
to grow until it would otherwise begin to exhaust resources. To help
detect such an attack, EDG will log a warning in The EDG log if the
cache size limit has been reached, and entries are being removed prematurely.
In this case, “premature” means that either the lockoutDuration has not
yet expired, or that the account has been in the cache for less than
lockoutCacheRemovalWarningDuration seconds (default 3600, or 1 hour).
Note
If you are using LDAP Authentication, your Active Directory server may have its own Account Lockout Policy enabled. If so, TopQuadrant recommends disabling the Lockout Feature, as it may lead to unexpected results if both are enabled.