JAAS Timed Login Module
The OWASP JAAS Timed Login Module is an implementation of a JAAS LoginModule that provides an escalating time based lockout facility and authentication against a database. This could be used to prevent brute force attacks against the authentication service. The module is based on the DBLogin module from http://free.tagish.net/jaas/
- Authentication against a database using JDBC for users and roles
- Password stored as SHA-256 hash
- Incremental time based lockout
- svn checkout http://owasp-java.googlecode.com/svn/trunk/OWASPJaasLoginModule .
- Code has been tested with local code access security.
- NOTE: Extensitve testing has not been performed, this should be considered experimental code.
- Create an example of integrating JAAS with an application server such as JBoss
- Use a salted hash
- Provide an audit log
- Fix the authorisation unit tests
The project is a valid NetBeans project, but will require importing using a different IDE. The build file contains three database targets for starting, populating and stopping the hsqldb database. The expected database structure is also in the build file. This same structure and sample data is replicated in the jaastestdb.xml file which is used to create and populate and the junit test cases. A main method is provided in Standalone.java which allows keyboard login.
The key configuration files for the module are:
- login.test.conf - which contains the module's main configuration parameters:
- userTable = name of the table that contains the username and hashed passwords
- loginTable = table name for storing the login data
- roleMapTable = table to link users with roles
- clippingLevel = number of failed logins that will trigger the timeout
- interval = time in seconds to delay the next permitted auth. The first delay after the timeout is triggered will be 'interval' seconds, the second 'interval*2', the third 'interval*3', etc.
- test.security.policy - Java security policy file used for the unit tests.
The unit tests and the standalone application should be run with the following arguments:
-Djava.security.auth.login.config=file:login.test.conf -Djava.security.manager -Djava.security.policy==test.security.policy